Vulnerability Details : CVE-2021-3490
Public exploit exists!
The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e ("bpf: Fix alu32 const subreg bound tracking on bitwise operations") (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 ("bpf:Fix a verifier failure with xor") ( 5.10-rc1).
Vulnerability category: Memory CorruptionInput validation
Products affected by CVE-2021-3490
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:5.13:-:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*
- cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:20.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:21.04:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-3490
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2021-3490
-
Linux eBPF ALU32 32-bit Invalid Bounds Tracking LPE
Disclosure Date: 2021-05-11First seen: 2022-12-23exploit/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpeLinux kernels from 5.7-rc1 prior to 5.13-rc4, 5.12.4, 5.11.21, and 5.10.37 are vulnerable to a bug in the eBPF verifier's verification of ALU32 operations in the scalar32_min_max_and function when performing AND operations, whereby under certain conditions th
CVSS scores for CVE-2021-3490
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | |
7.8
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
1.1
|
6.0
|
Canonical Ltd. |
CWE ids for CVE-2021-3490
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security@ubuntu.com (Secondary)
-
The product reads data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by:
- nvd@nist.gov (Primary)
- security@ubuntu.com (Secondary)
References for CVE-2021-3490
-
https://www.openwall.com/lists/oss-security/2021/05/11/11
oss-security - CVE-2021-3490 - Linux kernel eBPF bitwise ops ALU32 bounds trackingMailing List;Patch;Third Party Advisory
-
http://packetstormsecurity.com/files/164015/Linux-eBPF-ALU32-32-bit-Invalid-Bounds-Tracking-Local-Privilege-Escalation.html
Linux eBPF ALU32 32-bit Invalid Bounds Tracking Local Privilege Escalation ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://ubuntu.com/security/notices/USN-4949-1
USN-4949-1: Linux kernel vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
https://www.zerodayinitiative.com/advisories/ZDI-21-606/
ZDI-21-606 | Zero Day InitiativeThird Party Advisory;VDB Entry
-
https://ubuntu.com/security/notices/USN-4950-1
USN-4950-1: Linux kernel vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20210716-0004/
June 2021 Linux Kernel 5.12.4 Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=049c4e13714ecbca567b4d5f6d563f05d431c80e
kernel/git/bpf/bpf.git - BPF kernel treePatch;Vendor Advisory
Jump to