CVE-2021-3864 Overview
A privilege escalation vulnerability exists in the Linux kernel related to improper handling of the dumpable flag when certain SUID binaries execute descendant processes. The flaw occurs when a SUID binary sets the real UID equal to the effective UID, and the real GID equal to the effective GID. Under these conditions, the descendant process inherits a dumpable value of 1, which can be exploited by an unprivileged local user to place core dumps into root-owned directories when core_pattern is configured with a relative path value.
Critical Impact
An unprivileged local user with access to an eligible root SUID binary can exploit this vulnerability to place core dumps into root-owned directories, potentially resulting in escalation of privileges on the affected system.
Affected Products
- Linux Kernel (all versions prior to fix)
- Debian Linux 10.0 and 11.0
- Red Hat Enterprise Linux 6.0, 7.0, and 9.0
Discovery Timeline
- 2022-08-26 - CVE CVE-2021-3864 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-3864
Vulnerability Analysis
This vulnerability is classified as a Privilege Escalation issue stemming from Improper Access Control (CWE-284). The flaw resides in the Linux kernel's handling of the dumpable process attribute when SUID binaries execute child processes.
The dumpable flag is a kernel security mechanism that controls whether a process can be traced or have its memory dumped. Normally, when a SUID binary executes, the dumpable flag should be cleared to prevent unprivileged users from accessing privileged memory contents through core dumps.
However, when a SUID binary sets its real UID to match its effective UID (and similarly for GID), the descendant processes incorrectly inherit a dumpable value of 1. This means the child process can generate core dumps, and if the core_pattern kernel parameter is set to a relative path, these dumps are written to the current working directory with the UID:GID permissions of the process.
An attacker can leverage this behavior by manipulating the current working directory to a root-owned location before triggering a crash in the descendant process. The resulting core dump could contain sensitive data or be used as a stepping stone for further privilege escalation attacks.
Root Cause
The root cause lies in the kernel's logic for handling the dumpable flag inheritance when SUID binaries perform UID/GID equalization. When a SUID binary sets real UID == effective UID and real GID == effective GID, the kernel fails to properly restrict the dumpable attribute on descendant processes. This oversight allows core dumps to be generated in unintended locations, bypassing the security controls designed to prevent unprivileged users from accessing privileged process memory.
Attack Vector
This is a local attack vector requiring the attacker to have:
- Unprivileged local access to the target system
- Access to an eligible root SUID binary that performs UID/GID equalization
- The ability to influence the current working directory
- A core_pattern kernel parameter configured with a relative path
The attacker triggers the SUID binary to spawn a descendant process, manipulates the working directory to a root-owned location, and then causes the descendant to crash. The resulting core dump is written to the target directory with elevated permissions, potentially enabling further exploitation.
The attack flow involves executing the vulnerable SUID binary from a carefully chosen directory, causing the descendant process to crash, and exploiting the incorrectly-placed core dump for privilege escalation. Detailed technical information can be found in the Red Hat Bug Report #2015046 and the Openwall OSS Security Mailing List discussion.
Detection Methods for CVE-2021-3864
Indicators of Compromise
- Unexpected core dump files appearing in root-owned directories such as /root, /etc, or other privileged locations
- Core dump files with unexpected ownership or permission patterns in sensitive directories
- Unusual execution patterns of SUID binaries followed by process crashes
- Audit logs showing SUID binary execution with subsequent child process termination signals
Detection Strategies
- Monitor for core dump file creation in root-owned or sensitive system directories using file integrity monitoring
- Implement audit rules to track SUID binary execution and subsequent process terminations using auditd
- Review core_pattern kernel parameter configuration for relative path values that could be exploited
- Deploy endpoint detection solutions to identify suspicious patterns of SUID binary exploitation
Monitoring Recommendations
- Configure auditd rules to monitor execution of SUID binaries: -a always,exit -F path=/path/to/suid -F perm=x -k suid_exec
- Enable monitoring for file creation events in critical system directories
- Implement alerting for unexpected core dump generation, especially in privileged directories
- Regularly audit the core_pattern setting via /proc/sys/kernel/core_pattern
How to Mitigate CVE-2021-3864
Immediate Actions Required
- Apply kernel patches from your distribution vendor as soon as they become available
- Configure core_pattern to use an absolute path (e.g., /var/crash/%e-%p.core) to prevent exploitation
- Audit SUID binaries on the system and remove unnecessary SUID permissions where possible
- Implement additional access controls and monitoring on sensitive directories
Patch Information
Kernel patches addressing this vulnerability have been discussed on the Linux kernel mailing list. Users should apply updates from their respective distribution vendors:
- Red Hat: Review the Red Hat CVE-2021-3864 Advisory for patches and guidance
- Debian: Check the Debian Security Tracker CVE-2021-3864 for updated packages
- Upstream: Monitor the Kernel Mailing List Discussion for patch details
Workarounds
- Set core_pattern to an absolute path to prevent core dumps from being written to attacker-controlled directories
- Consider setting fs.suid_dumpable=0 via sysctl to disable core dumps for SUID processes entirely
- Restrict access to SUID binaries using file permissions or SELinux/AppArmor policies
- Enable kernel hardening options such as kernel.core_uses_pid=1 for additional protection
# Configuration example - Mitigate by setting absolute core_pattern
# Add to /etc/sysctl.conf or /etc/sysctl.d/99-security.conf
# Set core dump pattern to absolute path
kernel.core_pattern = /var/crash/core.%e.%p.%t
# Disable core dumps for SUID programs (most restrictive)
fs.suid_dumpable = 0
# Apply changes immediately
# sysctl -p /etc/sysctl.d/99-security.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
