As more information about the recently disclosed local privilege escalation Linux vulnerability, “Sequoia” (CVE-2021-33909 – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33909), has come to light we wanted to keep our partners in the loop. This is a vulnerability that all MSPs who support or use Linux systems should be aware of. Based on our understanding of the vulnerability, it is unlikely to be a risk to N-able’s N-central. To exploit the vulnerability an attacker needs to have local shell access. While a customer running N-central is theoretically at risk, this risk is mitigated by the fact that N-central runs on a hardened virtual appliance with local OS access disabled.
We are diligently working on a patch to disable this Linux filesystem vulnerability and will notify customers as soon as it is available for download. To stay up to date with feature updates, hotfixes and any new information concerning this vulnerability please make sure you are subscribed to our Release Notes (https://status.n-able.com/release-notes/) as well as the N-able Blogs (https://www.n-able.com/blog/hardening-n-able-rmm).
For partners running Linux systems which allow system access, we strongly advise you to immediately apply the relevant Linux kernel patch. For additional information, refer to the original announcement from Qualys(https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909) or the NIST CVE details (https://nvd.nist.gov/vuln/detail/CVE-2021-33909) .
If you have any questions don’t hesitate to reach out to me (firstname.lastname@example.org)