Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2021-27365

CVE-2021-27365: Linux Kernel Privilege Escalation Flaw

CVE-2021-27365 is a privilege escalation vulnerability in Linux Kernel affecting iSCSI data structures. Unprivileged users can exploit this flaw to escalate privileges. This article covers technical details, affected versions, impact, and mitigation.

Updated:

CVE-2021-27365 Overview

CVE-2021-27365 is a heap buffer overflow [CWE-787] in the Linux kernel iSCSI subsystem affecting versions through 5.11.3. Certain iSCSI data structures lack appropriate length constraints, allowing values to exceed PAGE_SIZE. An unprivileged local user can send a Netlink message associated with iSCSI containing a length up to the maximum Netlink message size. The flaw enables local privilege escalation and kernel memory disclosure on affected systems.

Critical Impact

An unprivileged local user can trigger a kernel heap overflow through the iSCSI Netlink interface, leading to privilege escalation, information disclosure, and potential system compromise on any Linux distribution shipping the vulnerable libiscsi module.

Affected Products

  • Linux Kernel (all versions through 5.11.3)
  • Debian Linux 9.0
  • Oracle Tekelec Platform Distribution
  • NetApp SolidFire Baseboard Management Controller firmware

Discovery Timeline

  • 2021-03-07 - CVE-2021-27365 published to the National Vulnerability Database
  • 2021-03-06 - Public disclosure via Openwall OSS-Security mailing list and GRIMM research blog
  • 2021-04-09 - NetApp publishes security advisory ntap-20210409-0001
  • 2021-10 - Oracle includes fix in Critical Patch Update
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-27365

Vulnerability Analysis

The vulnerability resides in the kernel's iSCSI transport subsystem, specifically in the libiscsi module (drivers/scsi/libiscsi.c) and scsi_transport_iscsi.c. The iSCSI subsystem exposes a Netlink-based control interface that allows userspace processes to send configuration and management messages to the kernel. Several handler functions copy attribute data into kernel buffers without validating that the source length is constrained to PAGE_SIZE.

Netlink messages can carry payloads up to the maximum Netlink message size, which is significantly larger than a single page. When the kernel processes oversized iSCSI parameters such as those handled by iscsi_if_set_param and related functions, the resulting heap write exceeds the destination buffer. This produces an out-of-bounds write in kernel heap memory.

The affected attributes include host parameters and connection parameters that accept string-typed data without bounds checking. Successful exploitation corrupts adjacent kernel slab objects, which an attacker can leverage to overwrite function pointers or credentials structures.

Root Cause

The root cause is missing length validation on user-controlled Netlink message attributes processed by the iSCSI transport class. The code assumed parameter values would fit within PAGE_SIZE, but this constraint was never enforced. The bug was introduced in 2006 and remained latent for approximately 15 years.

Attack Vector

Exploitation requires local code execution as an unprivileged user on a system where the scsi_transport_iscsi module is loaded or autoloadable. On many Linux distributions, the module loads automatically when an unprivileged process creates a NETLINK_ISCSI socket. The attacker crafts a Netlink message with an oversized attribute and sends it to the iSCSI subsystem, triggering the heap overflow.

The vulnerability manifests in Netlink attribute handlers within scsi_transport_iscsi.c. See the Grimm Blog Linux Kernel Bugs writeup and the upstream fixes in Linux Kernel Commit ec98ea7 and Linux Kernel Commit f9dbdf9 for technical details on the additional length checks added to the affected handlers.

Detection Methods for CVE-2021-27365

Indicators of Compromise

  • Unexpected loading of scsi_transport_iscsi or libiscsi kernel modules by non-root processes
  • Kernel oops or panic messages referencing iSCSI functions in dmesg or /var/log/kern.log
  • Unprivileged processes opening NETLINK_ISCSI (protocol family 8) sockets
  • Anomalous privilege transitions where a non-root user gains UID 0 without invoking known setuid binaries

Detection Strategies

  • Audit socket() syscalls for the NETLINK_ISCSI protocol family originating from unprivileged user contexts
  • Monitor kernel module autoload events for scsi_transport_iscsi triggered outside of legitimate storage provisioning workflows
  • Deploy eBPF or auditd rules to log oversized Netlink message payloads sent to iSCSI sockets
  • Correlate kernel crash signatures referencing iscsi_if_recv_msg or iscsi_set_param with subsequent privilege changes

Monitoring Recommendations

  • Forward kernel audit logs and dmesg output to a centralized log analytics platform for retroactive hunting
  • Track running kernel versions across the Linux estate and alert on hosts running kernel ≤ 5.11.3 without backported patches
  • Establish a baseline for which hosts legitimately use iSCSI initiators and flag iSCSI module activity on hosts outside that baseline

How to Mitigate CVE-2021-27365

Immediate Actions Required

Patch Information

The upstream fix consists of two commits merged into the mainline Linux kernel: ec98ea7070e94cc25a422ec97d1421e28d97b7ee and f9dbdf97a5bd92b1a49cee3d591b55b11fd7a6d5. These patches add explicit length validation to the affected Netlink attribute handlers in scsi_transport_iscsi.c. All major distributions including Debian, Ubuntu, SUSE, and Red Hat have shipped backported fixes. SUSE tracking is available in SUSE Bugzilla #1182715.

Workarounds

  • Blacklist the libiscsi and scsi_transport_iscsi kernel modules on systems that do not require iSCSI initiator functionality by adding blacklist libiscsi and install scsi_transport_iscsi /bin/true entries to /etc/modprobe.d/
  • Restrict module autoloading by setting kernel.modules_disabled=1 after boot on hardened hosts where module loading is not required
  • Apply Ubuntu Livepatch as described in the Packet Storm Security Notice for systems that cannot be rebooted immediately
bash
# Block vulnerable iSCSI modules from loading
echo "install libiscsi /bin/true" | sudo tee /etc/modprobe.d/disable-iscsi.conf
echo "install scsi_transport_iscsi /bin/true" | sudo tee -a /etc/modprobe.d/disable-iscsi.conf

# Verify modules are not currently loaded
lsmod | grep -E "libiscsi|scsi_transport_iscsi"

# Confirm patched kernel version after upgrade
uname -r

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.