CVE-2021-41072 Overview
CVE-2021-41072 is a Directory Traversal vulnerability in the squashfs_opendir function within unsquash-2.c in Squashfs-Tools version 4.5. This vulnerability allows an attacker to craft a malicious squashfs filesystem containing a symbolic link followed by contents under the same filename, enabling unsquashfs to write files outside the expected destination directory. This is a distinct vulnerability from CVE-2021-40153, which also affected Squashfs-Tools.
Critical Impact
Attackers can exploit this flaw to write arbitrary files anywhere on the filesystem by creating symbolic links pointing outside the extraction directory, potentially leading to arbitrary code execution or system compromise.
Affected Products
- Squashfs-Tools 4.5
- Debian Linux 9.0, 10.0, 11.0
- Linux distributions shipping vulnerable Squashfs-Tools versions
Discovery Timeline
- 2021-09-14 - CVE-2021-41072 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-41072
Vulnerability Analysis
The vulnerability resides in the squashfs_opendir function in unsquash-2.c, which fails to properly validate directory entries during squashfs extraction. The root cause is a lack of duplicate name checking within directories, combined with improper handling of symbolic links during the extraction sequence.
When processing a crafted squashfs filesystem, the extraction process first creates a symbolic link pointing to an attacker-controlled location outside the intended destination directory. Subsequently, when the extractor encounters another entry with the same filename, it follows the previously created symbolic link and writes content to the arbitrary location specified by the attacker.
This vulnerability can be exploited remotely if a user extracts a malicious squashfs archive obtained from an untrusted source, though user interaction is required to trigger the extraction.
Root Cause
The fundamental issue stems from missing directory integrity checks in the squashfs extraction code. The squashfs_opendir function does not verify that directory entries have unique names before processing them. This oversight allows an attacker to include duplicate filenames in a squashfs archive—first as a symbolic link, then as regular content—causing the extraction tool to write through the symlink to arbitrary filesystem locations.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious squashfs filesystem image containing:
- A symbolic link entry pointing to a target location outside the extraction directory (e.g., /etc/cron.d/malicious)
- A subsequent file entry with the same filename containing malicious content
When unsquashfs processes this archive, it creates the symbolic link first, then attempts to write the file content to the same path, inadvertently following the symlink and writing to the attacker-specified location.
// Security patch in squashfs-tools/unsquash-1.c
// Adds directory sorting and duplicate name detection to prevent exploitation
// Source: https://github.com/plougher/squashfs-tools/commit/e0485802ec72996c20026da320650d8362f555bd
}
}
+ /* check directory for duplicate names. Need to sort directory first */
+ sort_directory(dir);
+ if(check_directory(dir) == FALSE) {
+ ERROR("File system corrupted: directory has duplicate names\n");
+ goto corrupted;
+ }
return dir;
corrupted:
Source: GitHub Commit Update
Detection Methods for CVE-2021-41072
Indicators of Compromise
- Unexpected symbolic links created during squashfs extraction pointing outside the destination directory
- Unauthorized file modifications in sensitive directories such as /etc, /root, or system binary paths
- Suspicious squashfs archives containing duplicate filename entries with different file types
- Log entries indicating squashfs extraction operations followed by unexpected file system changes
Detection Strategies
- Monitor file system operations during squashfs extraction for symbolic link creation followed by file writes to the same path
- Implement integrity monitoring on critical system directories to detect unauthorized modifications
- Scan squashfs archives for duplicate directory entries before extraction using file analysis tools
- Deploy endpoint detection rules to identify unsquashfs processes writing to locations outside expected extraction directories
Monitoring Recommendations
- Enable audit logging for all squashfs extraction operations in production environments
- Configure file integrity monitoring (FIM) on critical system paths to alert on unexpected modifications
- Implement sandbox environments for extracting untrusted squashfs archives
- Monitor process execution chains involving unsquashfs for anomalous file system write patterns
How to Mitigate CVE-2021-41072
Immediate Actions Required
- Update Squashfs-Tools to a patched version immediately on all affected systems
- Avoid extracting squashfs archives from untrusted or unverified sources
- Implement extraction in isolated environments or containers when processing external archives
- Review recently extracted squashfs archives for potential compromise indicators
Patch Information
The Squashfs-Tools maintainers have released a fix that adds directory sorting and duplicate name checking to prevent this exploitation technique. The patch introduces a check_directory() function that detects and rejects filesystem images containing duplicate names, treating them as corrupted.
The fix is available via the GitHub commit e0485802. Distribution-specific patches are available through:
Workarounds
- Extract squashfs archives only in isolated sandbox environments or containers with restricted filesystem access
- Implement a pre-extraction validation script that scans squashfs archives for duplicate directory entries
- Use restricted user permissions when running unsquashfs to limit potential write locations
- Configure mandatory access controls (SELinux/AppArmor) to confine unsquashfs file write operations
# Configuration example - Extract squashfs in restricted environment
# Create a sandboxed extraction using unshare and chroot
# Create isolated extraction directory with restricted permissions
mkdir -p /tmp/squashfs-sandbox
chmod 700 /tmp/squashfs-sandbox
# Extract with restricted filesystem namespace (Linux)
unshare --mount --map-root-user bash -c "
mount --bind /tmp/squashfs-sandbox /tmp/squashfs-sandbox
mount --make-private /tmp/squashfs-sandbox
cd /tmp/squashfs-sandbox
unsquashfs -d ./extracted /path/to/archive.squashfs
"
# Alternative: Use firejail for sandboxed extraction
firejail --private=/tmp/squashfs-sandbox unsquashfs -d ./extracted /path/to/archive.squashfs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
