CVE-2021-3621: 
NixOS vulnerability analysis and mitigation

CVE-2021-3621 is a security vulnerability discovered in SSSD (System Security Services Daemon), specifically affecting the sssctl command. The vulnerability was disclosed on June 23, 2021, and affects the logs-fetch and cache-expire subcommands of sssctl. The flaw was found in SSSD versions prior to 2.6.0 (SSSD Release, NVD).

The vulnerability stems from the sssctl_run_command() function, which is a wrapper for running commands via a shell using glibc's system() function call. The sssctl_cache_expire() and sssctl_logs_fetch() functions allow user-provided arguments and pass them directly to sssctl_run_command() without proper sanitization, making them vulnerable to shell command injection (Red Hat Bugzilla).

The vulnerability could allow an attacker to gain root access by tricking the root user into running a specially crafted sssctl command, such as via sudo. The highest threat from this vulnerability affects system confidentiality, integrity, and availability (CVE Mitre).

The vulnerability was fixed in SSSD version 2.6.0 by replacing the system() call with execvp() to avoid execution of user-supplied commands. Various Linux distributions have released security updates to address this vulnerability, including Red Hat Enterprise Linux via RHSA-2021:3151 and Debian via DLA-3436-1 (SSSD Release, Debian LTS).