Vulnerability Details : CVE-2021-28375

An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka CID-20c40794eb85. This is a related issue to CVE-2019-2308.

Published 2021-03-15 05:15:14

Updated 2023-02-24 18:42:13

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-28375

Probability of exploitation activity in the next 30 days: 0.05%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 12 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-28375

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
7.2	HIGH	AV:L/AC:L/Au:N/C:C/I:C/A:C	3.9	10.0	nvd@nist.gov
Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	1.8	5.9	nvd@nist.gov
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-28375

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-28375

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XAUNYDTGE6MB4NWL2SIHPCODCLET3JZB/

[SECURITY] Fedora 32 Update: kernel-5.11.7-100.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lore.kernel.org/stable/YD03ew7+6v0XPh6l@kroah.com/

Re: [PATCH v2] misc: fastrpc: restrict user apps from sending kernel RPC messages - Greg Kroah-Hartman
Mailing List;Patch;Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OMRQVOTASD3VZP6GE4JJHE27QU6FHTZ6/

[SECURITY] Fedora 34 Update: kernel-5.11.7-300.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://security.netapp.com/advisory/ntap-20210401-0003/

CVE-2021-28375 Linux Kernel Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://git.kernel.org/linus/20c40794eb85ea29852d7bc37c55713802a543d6

kernel/git/torvalds/linux.git - Linux kernel source tree
Mailing List;Patch;Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TJPVQZPY3DHPV5I3IVNMSMO6D3PKZISX/

[SECURITY] Fedora 33 Update: kernel-tools-5.11.7-200.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url

Products affected by CVE-2021-28375

Linux » Linux Kernel
Versions from including (>=) 5.5 and before (<) 5.10.24
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 5.1 and before (<) 5.4.106
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 5.11 and before (<) 5.11.7
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 32
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Backup » Version: N/A
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Matching versions
Netapp » Solidfire Baseboard Management Controller Firmware » Version: N/A
cpe:2.3:o:netapp:solidfire_baseboard_management_controller_firmware:-:*:*:*:*:*:*:*
Matching versions