CVE-2021-31440

Linux Kernel eBPF Improper Input Validation Privilege Escalation Vulnerability

Severity Score

7.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.11.15. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-13661.

Esta vulnerabilidad permite a atacantes locales escalar los privilegios en las instalaciones afectadas de Linux Kernel versión 5.11.15. Un atacante primero debe obtener la capacidad de ejecutar código poco privilegiado en el sistema de destino para explotar esta vulnerabilidad. El fallo específico se presenta dentro del manejo de los programas eBPF. El problema es debido a una falta de validación apropiada de los programas eBPF suministrados por el usuario antes de ejecutarlos. Un atacante puede explotar esta vulnerabilidad para escalar privilegios y ejecutar código arbitrario en el contexto del kernel. Fue ZDI-CAN-13661

An out-of-bounds access flaw was found in the Linux kernel’s implementation of the eBPF code verifier, where an incorrect register bounds calculation while checking unsigned 32-bit instructions in an eBPF program occurs.. By default accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. A local user could use this flaw to crash the system or possibly escalate their privileges on the system.

This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel.

*Credits: Manfred Paul

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-04-16 CVE Reserved
2021-05-03 CVE Published
2023-03-08 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-682: Incorrect Calculation

CAPEC

References (5)

URL	Tag	Source
https://security.netapp.com/advisory/ntap-20210706-0003	Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-503	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=10bf4e83167cc68595b85fd73bb91e8f2c086e36	2023-08-11

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2021-31440	2021-11-09
https://bugzilla.redhat.com/show_bug.cgi?id=1964028	2021-11-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netapp Search vendor "Netapp"	Solidfire Baseboard Management Controller Firmware Search vendor "Netapp" for product "Solidfire Baseboard Management Controller Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	Solidfire Baseboard Management Controller Search vendor "Netapp" for product "Solidfire Baseboard Management Controller"	-	-	Safe
Netapp Search vendor "Netapp"	H500s Firmware Search vendor "Netapp" for product "H500s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H500s Search vendor "Netapp" for product "H500s"	-	-	Safe
Netapp Search vendor "Netapp"	H700s Firmware Search vendor "Netapp" for product "H700s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H700s Search vendor "Netapp" for product "H700s"	-	-	Safe
Netapp Search vendor "Netapp"	H300e Firmware Search vendor "Netapp" for product "H300e Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H300e Search vendor "Netapp" for product "H300e"	-	-	Safe
Netapp Search vendor "Netapp"	H500e Firmware Search vendor "Netapp" for product "H500e Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H500e Search vendor "Netapp" for product "H500e"	-	-	Safe
Netapp Search vendor "Netapp"	H700e Firmware Search vendor "Netapp" for product "H700e Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H700e Search vendor "Netapp" for product "H700e"	-	-	Safe
Netapp Search vendor "Netapp"	H410s Firmware Search vendor "Netapp" for product "H410s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H410s Search vendor "Netapp" for product "H410s"	-	-	Safe
Netapp Search vendor "Netapp"	H300s Firmware Search vendor "Netapp" for product "H300s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H300s Search vendor "Netapp" for product "H300s"	-	-	Safe
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.7 < 5.10.37 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.7 < 5.10.37"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.11 < 5.11.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.11 < 5.11.21"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.12 < 5.12.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.12 < 5.12.4"		-		Affected
Netapp Search vendor "Netapp"		Cloud Backup Search vendor "Netapp" for product "Cloud Backup"				-		-		Affected