CVE-2021-23133

Linux Kernel sctp_destroy_sock race condition

Severity Score

7.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.

Una condición de carrera en los sockets SCTP del kernel de Linux (el archivo net/sctp/socket.c) versiones anteriores a 5.12-rc8, puede conllevar a una escalada de privilegios del kernel desde el contexto de un servicio de red o un proceso no privilegiado. Si la función sctp_destroy_sock es llamado sin sock_net (sk) -) sctp.addr_wq_lock, un elemento es eliminado de la lista auto_asconf_splist sin ningún bloqueo apropiado. Esto puede ser explotado por un atacante con privilegios de servicio de red para escalar a root o desde el contexto de un usuario no privilegiado directamente si un BPF_CGROUP_INET_SOCK_CREATE es adjuntado que niega la creación de algún socket SCTP

A use-after-free flaw was found in the Linux kernel's SCTP socket functionality that triggers a race condition. This flaw allows a local user to escalate their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

*Credits: Or Cohen from Palo Alto Networks

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-01-06 CVE Reserved
2021-04-22 CVE Published
2023-03-08 EPSS Updated
2024-09-16 CVE Updated
2024-09-16 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (14)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html	Mailing List
https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html	Mailing List
https://security.netapp.com/advisory/ntap-20210611-0008	Third Party Advisory

URL	Date	SRC
https://www.openwall.com/lists/oss-security/2021/04/18/2	2024-09-16

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2021/05/10/1	2023-11-07
http://www.openwall.com/lists/oss-security/2021/05/10/2	2023-11-07
http://www.openwall.com/lists/oss-security/2021/05/10/3	2023-11-07
http://www.openwall.com/lists/oss-security/2021/05/10/4	2023-11-07
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CUX2CA63453G34C6KYVBLJXJXEARZI2X	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAEQ3H6HKNO6KUCGRZVYSFSAGEUX23JL	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XZASHZVCOFJ4VU2I3BN5W5EPHWJQ7QWX	2023-11-07
https://access.redhat.com/security/cve/CVE-2021-23133	2021-11-09
https://bugzilla.redhat.com/show_bug.cgi?id=1948772	2021-11-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netapp Search vendor "Netapp"	H410c Firmware Search vendor "Netapp" for product "H410c Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H410c Search vendor "Netapp" for product "H410c"	-	-	Safe
Netapp Search vendor "Netapp"	H300s Firmware Search vendor "Netapp" for product "H300s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H300s Search vendor "Netapp" for product "H300s"	-	-	Safe
Netapp Search vendor "Netapp"	H500s Firmware Search vendor "Netapp" for product "H500s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H500s Search vendor "Netapp" for product "H500s"	-	-	Safe
Netapp Search vendor "Netapp"	H700s Firmware Search vendor "Netapp" for product "H700s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H700s Search vendor "Netapp" for product "H700s"	-	-	Safe
Netapp Search vendor "Netapp"	H300e Firmware Search vendor "Netapp" for product "H300e Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H300e Search vendor "Netapp" for product "H300e"	-	-	Safe
Netapp Search vendor "Netapp"	H500e Firmware Search vendor "Netapp" for product "H500e Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H500e Search vendor "Netapp" for product "H500e"	-	-	Safe
Netapp Search vendor "Netapp"	H700e Firmware Search vendor "Netapp" for product "H700e Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H700e Search vendor "Netapp" for product "H700e"	-	-	Safe
Netapp Search vendor "Netapp"	H410s Firmware Search vendor "Netapp" for product "H410s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H410s Search vendor "Netapp" for product "H410s"	-	-	Safe
Netapp Search vendor "Netapp"	Solidfire Baseboard Management Controller Firmware Search vendor "Netapp" for product "Solidfire Baseboard Management Controller Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	Solidfire Baseboard Management Controller Search vendor "Netapp" for product "Solidfire Baseboard Management Controller"	-	-	Safe
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.10 < 4.14.232 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.10 < 4.14.232"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.15 < 4.19.189 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.15 < 4.19.189"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.20 < 5.4.114 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.20 < 5.4.114"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.5 < 5.10.32 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5 < 5.10.32"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 5.11.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.11.16"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Netapp Search vendor "Netapp"		Cloud Backup Search vendor "Netapp" for product "Cloud Backup"				-		-		Affected
Netapp Search vendor "Netapp"		Solidfire \& Hci Management Node Search vendor "Netapp" for product "Solidfire \& Hci Management Node"				-		-		Affected
Broadcom Search vendor "Broadcom"		Brocade Fabric Operating System Search vendor "Broadcom" for product "Brocade Fabric Operating System"				-		-		Affected