The default configuration in Red Hat Enterprise Linux 7 does not limit the number of nested directories to a reasonable level, thus it was possible to create many directories within /tmp and systemd would try to create directories within these, resulting in a denial of service. The default configuration has been modified in Red Hat Enterprise Linux 7.3 and later.
In Red Hat Enterprise Linux 6, the flaw was corrected by limiting the number of nested directories to 1000. The bug was assigned the bug id 172424.
A second flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many locations are defined in /etc/fstab. The default configuration in Red Hat Enterprise Linux 7 does not limit the number of locations defined in /etc/fstab, thus it was possible to create many locations in /etc/fstab and systemd would try to create many locations in these, resulting in a denial of service. In Red Hat Enterprise Linux 6, the default configuration limited the number of locations to 10,000. The bug was assigned the bug id 172425.

A third flaw was found in systemd. An uncontrolled recursion in systemd-tmpfiles may lead to a denial of service at boot time when too many mount options are specified in /etc/fstab. The default configuration in Red Hat Enterprise Linux 7 does not limit the number of mount options defined in /etc/fstab, thus it was possible

Mitigation steps for all issues

Red Hat Enterprise Linux 7.3 and later with kernel versions 4.14.18-rt37, 4.15.6-rt8, and 4.16-rc1 contain fixes for all three bugs listed above:
For CVE-2021-3997, the default configuration has been modified to limit the number of nested directories to 1000;
For CVE-2017-15940, the default configuration in Red Hat Enterprise Linux 7 limits the number of mount options to 10,000;
For CVE-2017-15939, the default configuration in Red Hat Enterprise Linux 6 limits the number of locations defined in /etc/fstab to 10,000.

How to verify if you are affected by the CVE-2021-3997

The default configuration in Red Hat Enterprise Linux 7 does not limit the number of mount options defined in /etc/fstab, thus it was possible to create many locations in /etc/fstab and systemd would try to create many locations in these, resulting in a denial of service. In Red Hat Enterprise Linux 6, the default configuration limited the number of mount options to 10,000. The bug was assigned the bug id 172425.
In both Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 6, if you are unsure if you are affected by this bug, or what your impact may be, you can use a script "mntctl" to perform an investigation on your system. For more information about mntctl please refer to https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Systemd-Tools_and_Utilities/index.html#mntctl

What is systemd? systemd is a system and service manager for Linux, compatible with SysV and LSB init scripts. It provides logging services, starts and stops daemons, maintains device configuration, executes actions on events such as start-up or shutdown of the system or devices, and manages large numbers of processes.

Fix for CVE-2021-3997

In Red Hat Enterprise Linux 6, the default configuration limited the number of mount options defined in /etc/fstab, thus it was possible to create many mount options and systemd would try to create many mount options in these, resulting in a denial of service. In Red Hat Enterprise Linux 7, the default configuration limits the number of mount options defined in /etc/fstab to 1000 (which is 10 percent more than the maximum number allowed by systemd-tmpfiles). The bug was assigned the bug id 172426.

Timeline

Published on: 08/23/2022 20:15:00 UTC
Last modified on: 08/27/2022 01:54:00 UTC

References