CVE-2021-23133: Linux Kernel sctp_destroy_sock race condition
First published: Mon Apr 12 2021(Updated: )
A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.
Credit: psirt@paloaltonetworks.com psirt@paloaltonetworks.com psirt@paloaltonetworks.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:4.18.0-348.rt7.130.el8 | 0:4.18.0-348.rt7.130.el8 |
| redhat/kernel | <0:4.18.0-348.el8 | 0:4.18.0-348.el8 |
| redhat/Kernel | <5.12 | 5.12 |
| Linux Kernel | >=4.10<4.14.232 | |
| Linux Kernel | >=4.15<4.19.189 | |
| Linux Kernel | >=4.20<5.4.114 | |
| Linux Kernel | >=5.5<5.10.32 | |
| Linux Kernel | >=5.11<5.11.16 | |
| Fedora | =32 | |
| Fedora | =33 | |
| Fedora | =34 | |
| Debian | =9.0 | |
| NetApp Cloud Backup | ||
| NetApp SolidFire & HCI Management Node | ||
| Broadcom Fabric Operating System | ||
| All of | ||
| NetApp H410C | ||
| NetApp H410C Firmware | ||
| All of | ||
| NetApp H300S Firmware | ||
| NetApp H300S Firmware | ||
| All of | ||
| NetApp H500e Firmware | ||
| NetApp H500e Firmware | ||
| All of | ||
| NetApp H700S | ||
| NetApp H700S | ||
| All of | ||
| NetApp H300E | ||
| NetApp H300E Firmware | ||
| All of | ||
| NetApp H500E | ||
| NetApp H500e Firmware | ||
| All of | ||
| NetApp H700E | ||
| NetApp H700E | ||
| All of | ||
| NetApp H410S | ||
| NetApp H410S Firmware | ||
| All of | ||
| NetApp SolidFire Baseboard Management Controller Firmware | ||
| NetApp SolidFire | ||
| NetApp H410C | ||
| NetApp H410C Firmware | ||
| NetApp H300S Firmware | ||
| NetApp H300S Firmware | ||
| NetApp H500e Firmware | ||
| NetApp H500e Firmware | ||
| NetApp H700S | ||
| NetApp H700S | ||
| NetApp H300E | ||
| NetApp H300E Firmware | ||
| NetApp H500E | ||
| NetApp H500e Firmware | ||
| NetApp H700E | ||
| NetApp H700E | ||
| NetApp H410S | ||
| NetApp H410S Firmware | ||
| NetApp SolidFire Baseboard Management Controller Firmware | ||
| NetApp SolidFire | ||
| debian/linux | 5.10.223-1 5.10.234-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.17-1 |
Remedy
To mitigate this issue, prevent the module sctp from being loaded (and this is so by default for Red Hat Enterprise Linux 8). Please see https://access.redhat.com/solutions/41278 for information on how to blacklist a kernel module to prevent it from loading automatically.
Remedy
This issue is fixed in Linux kernel 5.12-rc8.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-23133 https://nvd.nist.gov/vuln/detail/CVE-2021-23133 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b
- https://bugzilla.redhat.com/show_bug.cgi?id=1948772
- https://access.redhat.com/errata/RHSA-2021:4140
- https://access.redhat.com/errata/RHSA-2021:4356
- https://access.redhat.com/security/cve/cve-2021-23133
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b
- https://www.openwall.com/lists/oss-security/2021/04/18/2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAEQ3H6HKNO6KUCGRZVYSFSAGEUX23JL/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CUX2CA63453G34C6KYVBLJXJXEARZI2X/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZASHZVCOFJ4VU2I3BN5W5EPHWJQ7QWX/
- http://www.openwall.com/lists/oss-security/2021/05/10/1
- http://www.openwall.com/lists/oss-security/2021/05/10/2
- http://www.openwall.com/lists/oss-security/2021/05/10/3
- http://www.openwall.com/lists/oss-security/2021/05/10/4
- https://security.netapp.com/advisory/ntap-20210611-0008/
- https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html
- https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html
- https://launchpad.net/bugs/cve/CVE-2021-23133
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1951582
- https://access.redhat.com/solutions/41278
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CUX2CA63453G34C6KYVBLJXJXEARZI2X/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAEQ3H6HKNO6KUCGRZVYSFSAGEUX23JL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XZASHZVCOFJ4VU2I3BN5W5EPHWJQ7QWX/
- https://git.kernel.org/linus/34e5b01186858b36c4d7c87e1a025071e8e2401f
- https://security-tracker.debian.org/tracker/CVE-2021-23133
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23133
- https://nvd.nist.gov/vuln/detail/CVE-2021-23133
- https://ubuntu.com/security/CVE-2021-23133
Frequently Asked Questions
What is the severity of CVE-2021-23133?
CVE-2021-23133 has a high severity rating due to the potential for kernel privilege escalation.
How do I fix CVE-2021-23133?
To resolve CVE-2021-23133, upgrade to the kernel versions 0:4.18.0-348.rt7.130.el8 or 0:4.18.0-348.el8 on Red Hat systems.
Which Linux versions are affected by CVE-2021-23133?
CVE-2021-23133 affects Linux kernel versions prior to 5.12-rc8, including several versions between 4.10 and 5.11.
What type of vulnerability is CVE-2021-23133?
CVE-2021-23133 is classified as a race condition vulnerability in SCTP sockets of the Linux kernel.
Can CVE-2021-23133 be exploited by unprivileged users?
Yes, CVE-2021-23133 can potentially be exploited by unprivileged users or network services to escalate their privileges.
- collector/redhat-cve
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/type
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-23133
- agent/software-canonical-lookup
- agent/weakness
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/title
- agent/severity
- agent/last-modified-date
- agent/trending
- agent/source
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-index
- package-manager/redhat
- package-manager/debian
- vendor/linux
- canonical/linux kernel
- version/linux kernel/4.10
- version/linux kernel/4.15
- version/linux kernel/4.20
- version/linux kernel/5.5
- version/linux kernel/5.11
- vendor/fedoraproject
- canonical/fedora
- version/fedora/32
- version/fedora/33
- version/fedora/34
- vendor/debian
- canonical/debian
- version/debian/9.0
- vendor/netapp
- canonical/netapp cloud backup
- canonical/netapp solidfire & hci management node
- vendor/broadcom
- canonical/broadcom fabric operating system
- canonical/netapp h410c
- canonical/netapp h410c firmware
- canonical/netapp h300s firmware
- canonical/netapp h500e firmware
- canonical/netapp h700s
- canonical/netapp h300e
- canonical/netapp h300e firmware
- canonical/netapp h500e
- canonical/netapp h700e
- canonical/netapp h410s
- canonical/netapp h410s firmware
- canonical/netapp solidfire baseboard management controller firmware
- canonical/netapp solidfire