critical
9.8
CWE
20 119 1284
Advisory Published
CVE Published
Updated

CVE-2021-43267: Input Validation

First published: Tue Nov 02 2021(Updated: )

A flaw was discovered in the cryptographic receive code in the Linux kernel's implementation of transparent interprocess communication. An attacker, with the ability to send TIPC messages to the target, can corrupt memory and escalate privileges on the target system.

Credit: cve@mitre.org cve@mitre.org cve@mitre.org

Affected SoftwareAffected VersionHow to fix
redhat/kernel-rt<0:4.18.0-348.2.1.rt7.132.el8_5
0:4.18.0-348.2.1.rt7.132.el8_5
redhat/kernel<0:4.18.0-348.2.1.el8_5
0:4.18.0-348.2.1.el8_5
redhat/kernel-rt<0:4.18.0-305.28.1.rt7.100.el8_4
0:4.18.0-305.28.1.rt7.100.el8_4
redhat/kernel<0:4.18.0-305.28.1.el8_4
0:4.18.0-305.28.1.el8_4
Linux Linux kernel>=5.10<5.10.77
Linux Linux kernel>=5.11<5.14.16
Fedoraproject Fedora=34
Fedoraproject Fedora=35
All of
Netapp H300s
Netapp H300s Firmware
All of
Netapp H500s
Netapp H500s Firmware
All of
Netapp H700s
Netapp H700s Firmware
All of
Netapp H300e
Netapp H300e Firmware
All of
Netapp H500e
Netapp H500e Firmware
All of
Netapp H700e
Netapp H700e Firmware
All of
Netapp H410s
Netapp H410s Firmware
Netapp H300s Firmware
Netapp H300s
Netapp H500s Firmware
Netapp H500s
Netapp H700s Firmware
Netapp H700s
Netapp H300e Firmware
Netapp H300e
Netapp H500e Firmware
Netapp H500e
Netapp H700e Firmware
Netapp H700e
Netapp H410s Firmware
Netapp H410s
ubuntu/linux<5.11.0-44.48
5.11.0-44.48
ubuntu/linux<5.13.0-23.23
5.13.0-23.23
ubuntu/linux<5.15
5.15
ubuntu/linux-aws<5.11.0-1023.24
5.11.0-1023.24
ubuntu/linux-aws<5.13.0-1008.9
5.13.0-1008.9
ubuntu/linux-aws<5.15
5.15
ubuntu/linux-aws-5.0<5.15
5.15
ubuntu/linux-aws-5.11<5.11.0-1023.24~20.04.1
5.11.0-1023.24~20.04.1
ubuntu/linux-aws-5.11<5.15
5.15
ubuntu/linux-aws-5.13<5.15
5.15
ubuntu/linux-aws-5.15<5.15
5.15
ubuntu/linux-aws-5.3<5.15
5.15
ubuntu/linux-aws-5.4<5.15
5.15
ubuntu/linux-aws-5.8<5.15
5.15
ubuntu/linux-aws-6.5<5.15
5.15
ubuntu/linux-aws-fips<5.15
5.15
ubuntu/linux-aws-hwe<5.15
5.15
ubuntu/linux-azure<5.11.0-1023.24
5.11.0-1023.24
ubuntu/linux-azure<5.13.0-1009.10
5.13.0-1009.10
ubuntu/linux-azure<5.15
5.15
ubuntu/linux-azure-4.15<5.15
5.15
ubuntu/linux-azure-5.11<5.11.0-1023.24~20.04.1
5.11.0-1023.24~20.04.1
ubuntu/linux-azure-5.11<5.15
5.15
ubuntu/linux-azure-5.13<5.15
5.15
ubuntu/linux-azure-5.15<5.15
5.15
ubuntu/linux-azure-5.3<5.15
5.15
ubuntu/linux-azure-5.4<5.15
5.15
ubuntu/linux-azure-6.5<5.15
5.15
ubuntu/linux-azure-edge<5.15
5.15
ubuntu/linux-azure-fde<5.15
5.15
ubuntu/linux-azure-fde-5.15<5.15
5.15
ubuntu/linux-azure-fips<5.15
5.15
ubuntu/linux-bluefield<5.15
5.15
ubuntu/linux-dell300x<5.15
5.15
ubuntu/linux-fips<5.15
5.15
ubuntu/linux-gcp<5.11.0-1024.26
5.11.0-1024.26
ubuntu/linux-gcp<5.13.0-1008.9
5.13.0-1008.9
ubuntu/linux-gcp<5.15
5.15
ubuntu/linux-gcp-4.15<5.15
5.15
ubuntu/linux-gcp-5.11<5.11.0-1024.26~20.04.1
5.11.0-1024.26~20.04.1
ubuntu/linux-gcp-5.11<5.15
5.15
ubuntu/linux-gcp-5.13<5.15
5.15
ubuntu/linux-gcp-5.15<5.15
5.15
ubuntu/linux-gcp-5.3<5.15
5.15
ubuntu/linux-gcp-5.8<5.15
5.15
ubuntu/linux-gcp-6.5<5.15
5.15
ubuntu/linux-gcp-fips<5.15
5.15
ubuntu/linux-gke<5.15
5.15
ubuntu/linux-gke-4.15<5.15
5.15
ubuntu/linux-gke-5.0<5.15
5.15
ubuntu/linux-gke-5.3<5.15
5.15
ubuntu/linux-gke-5.4<5.15
5.15
ubuntu/linux-gkeop<5.15
5.15
ubuntu/linux-gkeop-5.15<5.15
5.15
ubuntu/linux-gkeop-5.4<5.15
5.15
ubuntu/linux-hwe<5.15
5.15
ubuntu/linux-hwe-5.11<5.11.0-44.48~20.04.2
5.11.0-44.48~20.04.2
ubuntu/linux-hwe-5.11<5.15
5.15
ubuntu/linux-hwe-5.13<5.13.0-23.23~20.04.2
5.13.0-23.23~20.04.2
ubuntu/linux-hwe-5.13<5.15
5.15
ubuntu/linux-hwe-5.15<5.15
5.15
ubuntu/linux-hwe-5.4<5.15
5.15
ubuntu/linux-hwe-5.8<5.15
5.15
ubuntu/linux-hwe-6.5<5.15
5.15
ubuntu/linux-hwe-edge<5.15
5.15
ubuntu/linux-ibm<5.15
5.15
ubuntu/linux-ibm-5.15<5.15
5.15
ubuntu/linux-ibm-5.4<5.15
5.15
ubuntu/linux-intel<5.15
5.15
ubuntu/linux-intel-5.13<5.15
5.15
ubuntu/linux-intel-iotg<5.15
5.15
ubuntu/linux-intel-iotg-5.15<5.15
5.15
ubuntu/linux-iot<5.15
5.15
ubuntu/linux-kvm<5.11.0-1021.23
5.11.0-1021.23
ubuntu/linux-kvm<5.13.0-1007.7
5.13.0-1007.7
ubuntu/linux-kvm<5.15
5.15
ubuntu/linux-laptop<5.15
5.15
ubuntu/linux-lowlatency<5.15
5.15
ubuntu/linux-lowlatency-hwe-5.15<5.15
5.15
ubuntu/linux-lowlatency-hwe-6.5<5.15
5.15
ubuntu/linux-lts-xenial<5.15
5.15
ubuntu/linux-nvidia<5.15
5.15
ubuntu/linux-nvidia-6.5<5.15
5.15
ubuntu/linux-oem<5.15
5.15
ubuntu/linux-oem-5.10<5.10.0-1053.55
5.10.0-1053.55
ubuntu/linux-oem-5.10<5.15
5.15
ubuntu/linux-oem-5.13<5.13.0-1026.32
5.13.0-1026.32
ubuntu/linux-oem-5.13<5.15
5.15
ubuntu/linux-oem-5.14<5.14.0-1008.8
5.14.0-1008.8
ubuntu/linux-oem-5.17<5.15
5.15
ubuntu/linux-oem-5.6<5.15
5.15
ubuntu/linux-oem-6.5<5.15
5.15
ubuntu/linux-oem-6.8<5.15
5.15
ubuntu/linux-oem-osp1<5.15
5.15
ubuntu/linux-oracle<5.11.0-1023.24
5.11.0-1023.24
ubuntu/linux-oracle<5.13.0-1011.13
5.13.0-1011.13
ubuntu/linux-oracle<5.15
5.15
ubuntu/linux-oracle-5.0<5.15
5.15
ubuntu/linux-oracle-5.11<5.11.0-1023.24~20.04.1
5.11.0-1023.24~20.04.1
ubuntu/linux-oracle-5.11<5.15
5.15
ubuntu/linux-oracle-5.13<5.15
5.15
ubuntu/linux-oracle-5.15<5.15
5.15
ubuntu/linux-oracle-5.3<5.15
5.15
ubuntu/linux-oracle-6.5<5.15
5.15
ubuntu/linux-raspi<5.11.0-1024.26
5.11.0-1024.26
ubuntu/linux-raspi<5.13.0-1012.14
5.13.0-1012.14
ubuntu/linux-raspi<5.15
5.15
ubuntu/linux-raspi-5.4<5.15
5.15
ubuntu/linux-raspi2<5.15
5.15
ubuntu/linux-raspi2-5.3<5.15
5.15
ubuntu/linux-riscv<5.11.0-1024.25
5.11.0-1024.25
ubuntu/linux-riscv<5.13.0-1007.7
5.13.0-1007.7
ubuntu/linux-riscv<5.15
5.15
ubuntu/linux-riscv-5.11<5.11.0-1024.25~20.04.1
5.11.0-1024.25~20.04.1
ubuntu/linux-riscv-5.11<5.15
5.15
ubuntu/linux-riscv-5.15<5.15
5.15
ubuntu/linux-riscv-5.8<5.15
5.15
ubuntu/linux-riscv-6.5<5.15
5.15
ubuntu/linux-snapdragon<5.15
5.15
ubuntu/linux-starfive<5.15
5.15
ubuntu/linux-starfive-6.5<5.15
5.15
ubuntu/linux-xilinx-zynqmp<5.15
5.15
debian/linux
5.10.218-1
5.10.221-1
6.1.94-1
6.1.99-1
6.9.12-1
6.10.3-1

Remedy

https://github.com/torvalds/linux/commit/fa40d9734a57bcbfa79a280189799f76c88f7bb0

Remedy

The TIPC module will NOT be automatically loaded. When required, administrative action is needed to explicitly load this module. Loading the module can be prevented with the following instructions: # echo "install tipc /bin/true" >> /etc/modprobe.d/disable-tipc.conf The system will need to be restarted if the tipc module is loaded. In most circumstances, the TIPC kernel module will be unable to be unloaded while any network interfaces are active and the protocol is in use. If the system requires this module to work correctly, this mitigation may not be suitable. If you need further assistance, see KCS article https://access.redhat.com/solutions/41278 or contact Red Hat Global Support Services. To mitigate the issue on systems that do need to use TIPC and do *not* deploy the TIPC protocol level encryption but rather use different ways to ensure secure communication between nodes (eg. physical network separation, IPSec/MACsec): - BEWARE THAT THIS WILL DISABLE THE TIPC PROTOCOL LEVEL ENCRYPTION - 1) On the host, save the following in a file with the ".stp" extension: %{ #include <linux/skbuff.h> #define MSG_CRYPTO 14 #define SOCK_WAKEUP 14 /* pseudo user */ #define TOP_SRV 15 /* pseudo user */ struct tipc_msg { __be32 hdr[15]; }; static inline struct tipc_msg *buf_msg(struct sk_buff *skb) { return (struct tipc_msg *)skb->data; } static inline u32 msg_word(struct tipc_msg *m, u32 pos) { return ntohl(m->hdr[pos]); } static inline void msg_set_word(struct tipc_msg *m, u32 w, u32 val) { m->hdr[w] = htonl(val); } static inline u32 msg_bits(struct tipc_msg *m, u32 w, u32 pos, u32 mask) { return (msg_word(m, w) >> pos) & mask; } static inline void msg_set_bits(struct tipc_msg *m, u32 w, u32 pos, u32 mask, u32 val) { val = (val & mask) << pos; mask = mask << pos; m->hdr[w] &= ~htonl(mask); m->hdr[w] |= htonl(val); } static inline u32 msg_user(struct tipc_msg *m) { return msg_bits(m, 0, 25, 0xf); } static inline void msg_set_user(struct tipc_msg *m, u32 n) { msg_set_bits(m, 0, 25, 0xf, n); } %} function sanitize:long (skb:long) %{ struct sk_buff *skb; struct tipc_msg *hdr; #if STAP_COMPAT_VERSION >= STAP_VERSION(1,8) skb = (struct sk_buff *) (unsigned long) STAP_ARG_skb; #else skb = (struct sk_buff *) (unsigned long) THIS->skb; #endif hdr = buf_msg(skb); if(msg_user(hdr) == MSG_CRYPTO) { msg_set_user(hdr, TOP_SRV); // set to invalid in this context } %} probe module("tipc").function("tipc_data_input").call { sanitize($skb); } 2) Install the "systemtap" package and any required dependencies (such as kernel-devel and kernel-debuginfo packages). 3) Run the "stap -g [filename-from-step-1].stp" command as root. If the host is rebooted, the changes will be lost and the script must be run again. Alternatively, build the systemtap script on a development system with "stap -g -p 4 [filename-from-step-1].stp", distribute the resulting kernel module to all affected systems, and run "staprun -L <module>" on those. When using this approach only systemtap-runtime package is required on the affected systems. Please notice that the kernel version must be the same across all systems.

Remedy

https://git.kernel.org/linus/1ef6f7c9390ff5308c940ff8d0a53533a4673ad9

Remedy

https://git.kernel.org/linus/fa40d9734a57bcbfa79a280189799f76c88f7bb0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203