March Vuln of the Month: CVE-2021-43267
Share with Your Network
On this Exploit Wednesday, our March Vuln of the Month is a heap overflow vulnerability in Linux kernel versions prior to 5.14.16. Susceptible instances of Linux could leave organizations vulnerable to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). And since it’s both remotely and locally exploitable—and, in fact, has been exploited—this is a high-risk vuln for affected organizations.
Our research shows that CVE-2021-43267 meets many of the criteria we look for in a vulnerability that could be exploited, including:
- Access complexity: Low
- Potential attack surface: Broad
- Exploitable remotely: Yes
- Authentication/privilege requirements: None
- Potential impact on availability: High
- Exploit code published: No
- Active exploits observed: Yes
The Kenna Risk Score for CVE-2021-43267 is 84, which represents a greater risk level than 99.4% of all vulns we’ve scored. Considering it has received a “Critical” score of 9.8 from CVSS 3.x and 7.5 “High” rating from CVSS 2.0, it’s clear this vuln is a risk for Linux shops and for organizations that use products based on the Linux kernel. And since we’ve seen reports of successful exploits, there is real-world proof that CVE-2021-43267 is a threat.
Why CVE-2021-43267 matters
The implications of CVE-2021-43267 are significant because this vulnerability in the Transparent Inter Process Communication (TIPC) module of the Linux kernel could allow local exploitation and remote code execution, and potentially lead to full system compromise. TIPC is a message-passing protocol that allows nodes within a cluster to communicate with each other. Because the Linux kernel lacks size verification checks, this vulnerability allows an attacker to pretend to be a peer node, and from there load a malicious domain record and trigger DoS via kernel panic. And it can all happen remotely, with no authorization needed.
The dynamic nature of vulns
CVE-2021-43267 illustrates how the relative risk of a specific vulnerability can be a moving target. On Nov. 11 of last year, Kenna increased its Risk Score for CVE-2021-43267 from 25 to 38. Three weeks later, the score dropped to 34. It stayed there for several more weeks until Jan. 23, when its Kenna Risk Score jumped to 84.
25, 38, 34, 84. Now that’s what I’d call dynamic.
Why the changes? As I noted in a recent blog, fluctuations in the risk level of individual CVEs aren’t unusual at Kenna Security. We are constantly assessing vulns for the likelihood they will be exploited—and specifically, the likelihood they’ll be exploited within your unique environment. This requires analyzing mountains of contextual data (including data from 18+ vulnerability and exploit intel feeds and insights from 12.7 billion managed vulnerabilities) through a host of advanced data science techniques. The result is we are able to predict the weaponization of new vulnerabilities with a 94% accuracy rate. Some vulnerabilities, like March’s Vuln of the Month, take a while for bad actors to exploit. These late bloomers may not present as high risk at first (I’m talking to you, Risk Score of 25), but they come into their own over time as their likelihood of exploitation becomes clearer.
We assessed CVE-2021-43267 to be a vulnerability of fairly middling risk until a successful breach was reported. That incident—and that new context—demonstrated this vuln was a real risk, and its Kenna Risk Score more than doubled in a day.
I explained last month that a Kenna Risk Score measures the current risk level of a CVE. Having that contemporary gauge helps you determine what’s worth fixing today. CVSS, on the other hand, measures the maximum potential severity of a CVE. And in some cases, a “Critical” CVE may never live up to its high CVSS score, so if you act on CVSS scores alone, you might end up devoting your finite resources to patching that vuln simply out of the prospect it could, someday, maybe pose a risk to you. But is that how you want to spend your time? (Learn more about the difference between vulnerability scores and risk scores.)
Bottom line
CVE-2021-43267 affects Linux kernel versions before 5.14.16. Not all Linux implementations are at risk, however: Although the TIPC module ships with all major Linux distributions, it must be enabled for an implementation to be vulnerable to attack. But the potential ramifications (and possible damage) are serious enough for any Linux administrator to take the time to confirm if they’re at risk and to deal with it ASAP if they are. Remote code execution, no privileges, the potential for data loss, or even full system compromise—it’s all here. And it’s all pretty bad.
Mitigation status
To protect themselves, at-risk Linux users should apply this patch. By applying appropriate size-verification checks, the patch should effectively close the vulnerability. Openwall also provides some helpful remediation guidance. Finally, NetApp, some of whose products incorporate the Linux kernel, has issued this advisory.
Watch this space for regular Vuln of the Month spotlights, which appear on Exploit Wednesday, the day following Microsoft’s monthly Patch Tuesday patch release. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.
