CVE-2021-23133 : A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc

A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.

Published 2021-04-22 18:15:08

Updated 2023-07-28 19:34:48

Source Palo Alto Networks, Inc.

View at NVD, CVE.org

Vulnerability category: Gain privilege

Products affected by CVE-2021-23133

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 4.15 and before (<) 4.19.189
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 4.10 and before (<) 4.14.232
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 5.5 and before (<) 5.10.32
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 5.11 and before (<) 5.11.16
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Linux » Linux Kernel
Versions from including (>=) 4.20 and before (<) 5.4.114
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Matching versions
Broadcom » Brocade Fabric Operating System » Version: N/A
cpe:2.3:o:broadcom:brocade_fabric_operating_system:-:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 32
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Backup » Version: N/A
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
Matching versions
Netapp » Solidfire & Hci Management Node » Version: N/A
cpe:2.3:a:netapp:solidfire_\&_hci_management_node:-:*:*:*:*:*:*:*
Matching versions
Netapp » H410c Firmware » Version: N/A
cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H410c » Version: N/A
Netapp » H300s Firmware » Version: N/A
cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H300s » Version: N/A
Netapp » H500s Firmware » Version: N/A
cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H500s » Version: N/A
Netapp » H700s Firmware » Version: N/A
cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H700s » Version: N/A
Netapp » H300e Firmware » Version: N/A
cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H300e » Version: N/A
Netapp » H500e Firmware » Version: N/A
cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H500e » Version: N/A
Netapp » H700e Firmware » Version: N/A
cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H700e » Version: N/A
Netapp » H410s Firmware » Version: N/A
cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » H410s » Version: N/A
Netapp » Solidfire Baseboard Management Controller Firmware » Version: N/A
cpe:2.3:o:netapp:solidfire_baseboard_management_controller_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Netapp » Solidfire Baseboard Management Controller » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2021-23133

EPSS FAQ

0.02%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 5 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-23133

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.9	MEDIUM	AV:L/AC:M/Au:N/C:C/I:C/A:C	3.4	10.0	NIST
Access Vector: Local Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
7.0	HIGH	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.0	5.9	NIST
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
6.7	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H	0.8	5.9	Palo Alto Networks, Inc.
Attack Vector: Local Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-23133

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Assigned by:
- nvd@nist.gov (Primary)
- psirt@paloaltonetworks.com (Secondary)

References for CVE-2021-23133

http://www.openwall.com/lists/oss-security/2021/05/10/3

oss-security - Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets
Mailing List;Patch;Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/10/1

oss-security - Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets
Mailing List;Patch;Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/10/4

oss-security - Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets
Mailing List;Patch;Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b

kernel/git/torvalds/linux.git - Linux kernel source tree
Mailing List;Patch;Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html

[SECURITY] [DLA 2690-1] linux-4.19 security update
Mitigation;Third Party Advisory

CVEs referencing this url
https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html

[SECURITY] [DLA 2689-1] linux security update
Mitigation;Third Party Advisory

CVEs referencing this url
https://www.openwall.com/lists/oss-security/2021/04/18/2

oss-security - CVE-2021-23133: Linux kernel: race condition in sctp sockets
Exploit;Mailing List;Patch;Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/10/2

oss-security - Re: CVE-2021-23133: Linux kernel: race condition in sctp sockets
Mailing List;Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CUX2CA63453G34C6KYVBLJXJXEARZI2X/

[SECURITY] Fedora 33 Update: kernel-5.11.16-200.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XZASHZVCOFJ4VU2I3BN5W5EPHWJQ7QWX/

[SECURITY] Fedora 34 Update: kernel-5.11.16-300.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PAEQ3H6HKNO6KUCGRZVYSFSAGEUX23JL/

[SECURITY] Fedora 32 Update: kernel-5.11.16-100.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20210611-0008/

CVE-2021-23133 Linux Kernel Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-23133

Products affected by CVE-2021-23133

Exploit prediction scoring system (EPSS) score for CVE-2021-23133

CVSS scores for CVE-2021-23133

CWE ids for CVE-2021-23133

References for CVE-2021-23133