As more information about the recently disclosed, local privilege escalation Linux vulnerability, Sequoia (CVE-2021-33909), comes to light, we wanted to keep our partners in the loop. This is a vulnerability all MSPs who support or use Linux systems should be aware of. Based on our understanding of it, it’s unlikely to be a risk to the N-able™ N-central® platform. To exploit the vulnerability an attacker needs to have local shell access. While a customer running N-central is potentially at risk, this risk is mitigated by the fact that N-central runs on a hardened virtual appliance with local OS access disabled.
We are diligently working on a patch to disable this Linux filesystem vulnerability and will notify customers as soon as it is available for download. To stay up to date with feature updates, hotfixes, and any new information concerning this issue, please make sure you are subscribed to our Release Notes as well as the N-able Blog (see the subscribe box at the bottom of the blog).
For partners running Linux systems that allow system access, we strongly advise you to immediately apply the relevant Linux kernel patch. For additional information, refer to the original announcement from Qualys or the NIST CVE details .
If you have any questions, don’t hesitate to reach out to me out my contact information below.
Lewis Pope is the Head Security Nerd at N-able. You can follow him on