CVE-2021-20269: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in kexec-tools involving incorrect permissions on a log file. The vulnerability, identified as CVE-2021-20269, was found in kexec-tools versions prior to 2.0.21-8 for Fedora and versions prior to 2.0.20-47 for RHEL. The flaw allows local unprivileged users to read the log file and potentially access kernel internal information from previous system panics (NVD).

The vulnerability stems from incorrect permission settings on the vmcore-dmesg.txt file that is extracted from the vmcore of a previous kernel panic. The file is created with world-readable permissions when it should have more restricted access. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access is required and the primary impact is to confidentiality (NVD).

The primary impact of this vulnerability is to system confidentiality. An unprivileged local user can potentially access sensitive kernel internal information that was output to the ring buffer or included in panic backtraces from previous system crashes (Openwall).

As a temporary workaround, the kexec service can be disabled until the kexec-tools package is updated. No system reboot is required for this mitigation to take effect. For a permanent fix, systems should be updated to kexec-tools version 2.0.21-8 or later for Fedora, and version 2.0.20-47 or later for RHEL (Red Hat Errata).