CVE-2021-27365 Overview
CVE-2021-27365 is a heap buffer overflow vulnerability in the Linux kernel through version 5.11.3. The flaw exists in the iSCSI subsystem where certain data structures lack appropriate length constraints or checks, allowing them to exceed the PAGE_SIZE value. An unprivileged local user can exploit this vulnerability by sending a specially crafted Netlink message associated with iSCSI operations, with a length up to the maximum length of a Netlink message.
Critical Impact
This vulnerability allows local unprivileged users to achieve privilege escalation through a heap buffer overflow in the kernel's iSCSI subsystem, potentially leading to complete system compromise.
Affected Products
- Linux Kernel (through version 5.11.3)
- Debian Linux 9.0
- Oracle Tekelec Platform Distribution
- NetApp SolidFire Baseboard Management Controller Firmware
- NetApp SolidFire Baseboard Management Controller
Discovery Timeline
- 2021-03-06 - Vulnerability disclosed on the Openwall OSS-Security Discussion
- 2021-03-07 - CVE CVE-2021-27365 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-27365
Vulnerability Analysis
This vulnerability is classified as CWE-787 (Out-of-Bounds Write) and affects the iSCSI implementation within the Linux kernel. The root issue lies in the kernel's handling of Netlink messages related to iSCSI operations, where insufficient bounds checking allows data structures to grow beyond expected memory page boundaries.
The vulnerability is exploitable locally, requiring low privileges and no user interaction. An attacker with local access can leverage this flaw to write beyond allocated heap buffers, potentially corrupting adjacent memory structures. This memory corruption can be weaponized to achieve arbitrary code execution with kernel privileges, effectively escalating from an unprivileged user to root.
The attack surface is accessible to any local user on systems where the iSCSI kernel modules are loaded, which is common in enterprise environments and storage configurations. The lack of length constraints on iSCSI data structures means that carefully crafted Netlink messages can trigger the overflow condition.
Root Cause
The root cause stems from missing length constraints and validation checks in iSCSI data structures within the Linux kernel. Specifically, the kernel fails to properly validate the size of incoming Netlink messages before processing them, allowing oversized payloads that exceed PAGE_SIZE to be processed. This design flaw enables heap buffer overflow conditions when the kernel attempts to handle these malformed messages.
Attack Vector
The attack is local in nature, requiring the attacker to have unprivileged access to the target system. The attacker sends specially crafted Netlink messages targeting the iSCSI subsystem. These messages contain payloads designed to exceed normal size boundaries, triggering the heap overflow when the kernel processes them without adequate length validation.
The attack does not require user interaction and can be executed with minimal prerequisites. Once the heap overflow occurs, the attacker can leverage standard kernel exploitation techniques to achieve privilege escalation, including overwriting function pointers or manipulating kernel data structures.
The vulnerability is detailed in the Grimm Blog Linux Kernel Analysis, which provides in-depth technical analysis of the iSCSI subsystem flaws.
Detection Methods for CVE-2021-27365
Indicators of Compromise
- Unusual Netlink message activity targeting the iSCSI subsystem
- Kernel crash dumps or oops messages related to iSCSI or heap corruption
- Unexpected privilege escalation events from unprivileged user accounts
- Anomalous iSCSI module loading or configuration changes
Detection Strategies
- Monitor kernel logs for memory corruption indicators, heap overflows, or iSCSI-related crashes
- Implement audit rules to track Netlink socket operations and iSCSI-related system calls
- Deploy kernel-level monitoring to detect suspicious memory access patterns in the iSCSI subsystem
- Use SentinelOne's Singularity platform to detect exploitation attempts targeting kernel vulnerabilities
Monitoring Recommendations
- Enable kernel auditing to capture system call activity related to Netlink sockets
- Configure SIEM rules to alert on kernel panic events and iSCSI subsystem anomalies
- Monitor for unauthorized loading of iSCSI kernel modules
- Review authentication logs for unexpected privilege escalation patterns following local access
How to Mitigate CVE-2021-27365
Immediate Actions Required
- Update the Linux kernel to a patched version (5.11.4 or later, or distribution-specific patches)
- Apply vendor-provided security updates for affected distributions (Debian, Oracle, NetApp)
- If patching is not immediately possible, consider disabling or unloading iSCSI kernel modules on systems that don't require them
- Review system access controls to limit local user access on affected systems
Patch Information
The Linux kernel maintainers have released fixes in the following commits:
Distribution-specific patches are available:
- Debian: Debian LTS Security Announcement
- Oracle: Oracle Security Alert CPUOctober2021
- NetApp: NetApp Security Advisory NTAP-20210409-0001
Live kernel patching is also available for supported distributions via the Packet Storm Security Notice.
Workarounds
- Disable iSCSI kernel modules if not required: modprobe -r iscsi_tcp libiscsi scsi_transport_iscsi
- Prevent automatic loading of iSCSI modules by blacklisting them in /etc/modprobe.d/
- Restrict local access to trusted users only on systems where iSCSI is required
- Implement network segmentation to limit exposure of systems running vulnerable kernels
# Configuration example - Blacklist iSCSI modules
echo "blacklist iscsi_tcp" >> /etc/modprobe.d/blacklist-iscsi.conf
echo "blacklist libiscsi" >> /etc/modprobe.d/blacklist-iscsi.conf
echo "blacklist scsi_transport_iscsi" >> /etc/modprobe.d/blacklist-iscsi.conf
# Unload modules if currently loaded
modprobe -r iscsi_tcp libiscsi scsi_transport_iscsi 2>/dev/null
# Verify modules are not loaded
lsmod | grep iscsi
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
