CVE-2021-3995 Overview
A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows an unprivileged local attacker to unmount FUSE filesystems that belong to certain other users who have a UID that is a prefix of the UID of the attacker in its string form. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems.
Critical Impact
Local attackers can unmount FUSE filesystems belonging to other users through UID string prefix matching, causing denial of service to applications relying on those filesystems.
Affected Products
- kernel util-linux (versions prior to v2.37.3)
- Fedora 35
- Additional distributions using vulnerable util-linux versions
Discovery Timeline
- 2022-01-24 - Vulnerability details disclosed via OSS-Security Mailing List
- 2022-08-23 - CVE CVE-2021-3995 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-3995
Vulnerability Analysis
The vulnerability exists in the libmount library's FUSE unmount functionality. The flaw stems from improper UID comparison logic when validating whether a user has permission to unmount a FUSE filesystem. Instead of performing a proper numeric UID comparison, the code performs a string-based prefix match on the UID values.
This means that if an attacker has a UID like 1000, they could potentially unmount FUSE filesystems owned by users with UIDs 100, 10, or 1 because 1000 contains these numbers as string prefixes. This authorization bypass allows unprivileged local users to disrupt services and applications that depend on FUSE-mounted filesystems.
The vulnerability is classified under CWE-552 (Files or Directories Accessible to External Parties), as it effectively grants unauthorized access to unmount operations that should be restricted to specific users.
Root Cause
The root cause lies in the UID validation logic within libmount/src/context_umount.c. The original implementation used string-based comparison to check if the requesting user's UID matched the filesystem owner's UID. This approach was fundamentally flawed because string prefix matching does not provide proper numeric identity verification.
The vulnerable code stored the UID as a string (char *user_id) and compared it against the mount option's user_id value using string operations. This allowed UIDs that are string prefixes of other UIDs to pass validation incorrectly.
Attack Vector
The attack requires local access to the system. An attacker with an unprivileged account can exploit this vulnerability by:
- Identifying FUSE filesystems mounted by users whose UIDs are string prefixes of the attacker's UID
- Executing the umount command targeting those filesystems
- The flawed UID validation allows the unmount operation to succeed
- Applications and services depending on those filesystems experience denial of service
The following patch demonstrates the fix applied to address the UID comparison logic:
struct libmnt_ns *ns_old;
const char *type = mnt_fs_get_fstype(cxt->fs);
const char *optstr;
- char *user_id = NULL;
- size_t sz;
- uid_t uid;
- char uidstr[sizeof(stringify_value(ULONG_MAX))];
+ uid_t uid, entry_uid;
*errsv = 0;
Source: GitHub Commit for util-linux
The fix introduces a new function for proper UID extraction and comparison:
const struct libmnt_optmap **mapent);
/* optstr.c */
+extern int mnt_optstr_get_uid(const char *optstr, const char *name, uid_t *uid);
extern int mnt_optstr_remove_option_at(char **optstr, char *begin, char *end);
extern int mnt_optstr_fix_gid(char **optstr, char *value, size_t valsz, char **next);
extern int mnt_optstr_fix_uid(char **optstr, char *value, size_t valsz, char **next);
Source: GitHub Commit for util-linux
Detection Methods for CVE-2021-3995
Indicators of Compromise
- Unexpected unmount events in system logs for FUSE filesystems
- Application crashes or errors related to missing mounted filesystems
- Unusual umount command executions by non-root users targeting FUSE mounts
- Syslog entries showing FUSE filesystem unmount failures or successes from unexpected UIDs
Detection Strategies
- Monitor system logs for FUSE unmount operations using auditd rules targeting the umount syscall
- Implement file integrity monitoring on critical FUSE mount points
- Configure alerting for mount table changes affecting FUSE filesystems
- Review dmesg and /var/log/messages for FUSE-related errors indicating unexpected unmounts
Monitoring Recommendations
- Deploy endpoint detection and response (EDR) solutions to monitor filesystem mount/unmount operations
- Configure SentinelOne agents to detect anomalous unmount activity patterns
- Establish baseline monitoring for FUSE filesystem availability in production environments
- Implement automated health checks for applications dependent on FUSE mounts
How to Mitigate CVE-2021-3995
Immediate Actions Required
- Update util-linux to version 2.37.3 or later immediately
- Audit systems for vulnerable util-linux versions using package managers
- Review mount tables for critical FUSE filesystems that may be targeted
- Consider restricting umount capabilities for unprivileged users until patching is complete
Patch Information
The vulnerability has been addressed in util-linux version 2.37.3. The fix replaces the flawed string-based UID comparison with proper numeric UID validation using the new mnt_optstr_get_uid() function. Organizations should apply updates through their distribution's package management system.
- GitHub Commit for util-linux - Security patch commit
- Util-Linux Release Notes v2.37.3 - Official release notes
- Gentoo GLSA 202401-08 - Gentoo security advisory
- NetApp Security Advisory NTAP-20221209-0002 - NetApp advisory
Workarounds
- Restrict access to the umount command for unprivileged users using filesystem permissions or SELinux policies
- Implement additional monitoring and alerting for FUSE filesystem mount/unmount events
- Consider using systemd mount units with ProtectSystem=strict for critical FUSE mounts
- Isolate systems running critical FUSE-dependent applications until patches can be applied
# Check current util-linux version
util-linux --version
# Update util-linux on Fedora/RHEL-based systems
sudo dnf update util-linux
# Update util-linux on Debian/Ubuntu-based systems
sudo apt update && sudo apt upgrade util-linux
# Verify FUSE mounts on the system
mount | grep fuse
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
