CVE-2021-27364 Overview
An out-of-bounds read vulnerability was discovered in the Linux kernel through version 5.11.3 affecting the iSCSI SCSI transport subsystem. The vulnerability exists in drivers/scsi/scsi_transport_iscsi.c and can be exploited by an unprivileged local user who crafts malicious Netlink messages. This flaw allows attackers with local access to read sensitive kernel memory or cause system instability.
Critical Impact
Local attackers can exploit improper Netlink message handling in the iSCSI subsystem to leak kernel memory contents or cause denial of service conditions, potentially leading to further privilege escalation attacks.
Affected Products
- Linux Kernel (through version 5.11.3)
- Debian Linux 9.0
- Canonical Ubuntu Linux 14.04 ESM, 16.04 LTS, 18.04 LTS, 20.04 LTS
- NetApp SolidFire Baseboard Management Controller Firmware
- Oracle Tekelec Platform Distribution
Discovery Timeline
- March 7, 2021 - CVE-2021-27364 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-27364
Vulnerability Analysis
This vulnerability is classified as CWE-125 (Out-of-Bounds Read) and affects the iSCSI SCSI transport layer in the Linux kernel. The flaw stems from insufficient validation of Netlink messages processed by the iSCSI subsystem. When an unprivileged user sends specially crafted Netlink messages to the kernel, the iSCSI transport code fails to properly validate message boundaries and parameters, resulting in out-of-bounds memory read operations.
The vulnerability enables local attackers to potentially extract sensitive information from kernel memory, including cryptographic keys, credentials, or other security-sensitive data structures. Additionally, the out-of-bounds read can trigger kernel panics or system crashes, resulting in denial of service conditions.
Root Cause
The root cause lies in the scsi_transport_iscsi.c driver's handling of Netlink communication. The code did not properly validate the length and content of incoming Netlink messages from userspace. This missing validation allowed unprivileged users to craft messages that would cause the kernel to read beyond allocated buffer boundaries. The iSCSI subsystem exposed Netlink interfaces without adequate access controls, enabling any local user to interact with kernel iSCSI functionality.
Attack Vector
The attack requires local access to the target system. An unprivileged attacker can exploit this vulnerability by:
- Creating a Netlink socket connection to the iSCSI transport subsystem
- Crafting malicious Netlink messages with invalid or manipulated length fields
- Sending these messages to trigger out-of-bounds read operations in kernel memory
- Extracting leaked kernel memory data from responses or observing system behavior
The attack surface is significant because Netlink sockets can be created by unprivileged users, and the iSCSI transport module is commonly loaded on enterprise Linux systems for storage connectivity.
Detection Methods for CVE-2021-27364
Indicators of Compromise
- Unexpected Netlink socket connections to the iSCSI subsystem from non-root processes
- Kernel log messages indicating iSCSI transport errors or memory access violations
- System instability or kernel panics related to SCSI subsystem operations
- Unusual process behavior involving Netlink socket operations targeting kernel SCSI interfaces
Detection Strategies
- Monitor for processes creating Netlink sockets with NETLINK_ISCSI protocol family
- Implement kernel audit rules to track access to iSCSI transport interfaces
- Deploy endpoint detection solutions capable of monitoring kernel-userspace communication patterns
- Review system logs for SCSI transport errors or unexpected iSCSI-related kernel messages
Monitoring Recommendations
- Enable kernel auditing for Netlink socket creation and iSCSI subsystem interactions
- Configure SentinelOne Singularity Platform to detect anomalous kernel memory access patterns
- Implement centralized log collection for kernel messages related to SCSI transport operations
- Establish baseline monitoring for legitimate iSCSI activity to identify deviations
How to Mitigate CVE-2021-27364
Immediate Actions Required
- Update affected Linux kernel installations to patched versions immediately
- Apply vendor-specific patches from Debian, Ubuntu, NetApp, or Oracle as applicable
- Restrict local user access on systems where kernel updates cannot be immediately applied
- Unload the scsi_transport_iscsi module if iSCSI functionality is not required
Patch Information
The Linux kernel development team addressed this vulnerability in commit 688e8128b7a92df982709a4137ea4588d16f24aa. This patch implements proper validation of Netlink messages and restricts access to the iSCSI transport interfaces.
Multiple distribution vendors have released security updates:
- Debian released patches via Debian LTS Security Announcements
- Canonical provides kernel live patches for supported Ubuntu releases
- Oracle addressed the issue in CPU October 2021
- NetApp released Security Advisory NTAP-20210409-0001
Workarounds
- Blacklist or unload the scsi_transport_iscsi kernel module using modprobe -r scsi_transport_iscsi if iSCSI storage is not in use
- Restrict local user access through enhanced access controls and privilege management
- Implement network segmentation for systems requiring iSCSI connectivity
- Apply kernel hardening configurations to limit unprivileged Netlink socket operations
# Configuration example
# Unload iSCSI transport module if not needed
sudo modprobe -r scsi_transport_iscsi
# Blacklist the module to prevent automatic loading
echo "blacklist scsi_transport_iscsi" | sudo tee /etc/modprobe.d/blacklist-iscsi.conf
# Verify module is not loaded
lsmod | grep iscsi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
