CVE-2021-3428 Overview
A denial of service vulnerability was discovered in the Linux kernel's ext4 filesystem implementation. The flaw exists in the ext4_es_cache_extent function within fs/ext4/extents.c, where a corrupted extent tree in a crafted ext4 filesystem can trigger an integer overflow condition. A local attacker with special user privileges can exploit this vulnerability to cause a system crash, resulting in a complete denial of service.
Critical Impact
Local attackers with elevated privileges can crash the system by mounting a specially crafted ext4 filesystem, causing complete loss of system availability.
Affected Products
- Linux Kernel (all vulnerable versions)
- Systems running ext4 filesystem support
- Enterprise Linux distributions including Red Hat and Ubuntu
Discovery Timeline
- 2022-03-04 - CVE CVE-2021-3428 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-3428
Vulnerability Analysis
This vulnerability stems from an integer overflow condition in the Linux kernel's ext4 filesystem extent handling code. The ext4 filesystem uses extent trees to efficiently map logical block addresses to physical block addresses on storage devices. When processing extent tree metadata, the ext4_es_cache_extent function fails to properly validate extent tree data, allowing specially crafted filesystem images to trigger integer overflow conditions.
The attack requires local access and elevated privileges, as mounting arbitrary filesystems typically requires administrative permissions. However, in environments where users can mount removable media or in containerized deployments with specific mount configurations, this vulnerability presents a significant availability risk.
Root Cause
The root cause is an integer overflow vulnerability (CWE-190) in the extent tree processing logic within fs/ext4/extents.c. The ext4_es_cache_extent function does not adequately validate extent tree structures before performing arithmetic operations, allowing maliciously crafted extent data to cause integer overflow. When the overflow occurs, it leads to memory corruption or invalid memory accesses, ultimately causing a kernel panic and system crash.
Attack Vector
The attack vector is local, requiring an attacker to have the ability to mount a specially crafted ext4 filesystem image. The attacker creates a malicious ext4 filesystem with a corrupted extent tree structure designed to trigger the integer overflow. When this filesystem is mounted and the corrupted extent tree is processed by the kernel, the integer overflow occurs in ext4_es_cache_extent, leading to a kernel crash.
The exploitation scenario involves:
- Crafting an ext4 filesystem image with malicious extent tree metadata
- Gaining access to a system with mount privileges (directly or through removable media)
- Mounting the crafted filesystem, triggering the vulnerable code path
- The kernel processes the corrupted extent tree, causing an integer overflow and subsequent system crash
Detection Methods for CVE-2021-3428
Indicators of Compromise
- Unexpected kernel panics or system crashes during filesystem mount operations
- Kernel log messages referencing ext4_es_cache_extent or extent tree errors
- Suspicious ext4 filesystem images on removable media or in user-accessible locations
- Repeated system reboots correlated with filesystem mounting activities
Detection Strategies
- Monitor kernel logs for panic messages related to ext4 extent handling
- Implement file integrity monitoring on systems with ext4 filesystems
- Deploy endpoint detection solutions capable of monitoring kernel-level events
- Review mount operations and filesystem access patterns for anomalies
Monitoring Recommendations
- Configure syslog or journald to alert on kernel panic events
- Implement automated kernel log analysis for ext4-related error messages
- Monitor for attempts to mount untrusted or external filesystem images
- Deploy SentinelOne agents for real-time kernel activity monitoring
How to Mitigate CVE-2021-3428
Immediate Actions Required
- Update the Linux kernel to the latest patched version from your distribution
- Restrict mount privileges to only trusted administrative users
- Disable automatic mounting of removable media on sensitive systems
- Review and harden filesystem mount policies
Patch Information
Linux kernel patches addressing this integer overflow vulnerability are available through major Linux distribution channels. Consult vendor-specific advisories for detailed patch information:
Workarounds
- Restrict the mount command to root users only and audit mount operations
- Disable ext4 filesystem support in the kernel if not required (modprobe -r ext4)
- Implement mandatory access control (SELinux/AppArmor) policies to restrict mount operations
- Block untrusted removable media from being connected to sensitive systems
# Restrict mount privileges and disable automounting
# Remove user mount permissions from fstab entries
sudo sed -i 's/,user//g' /etc/fstab
# Disable udisks2 automount for removable media
sudo tee /etc/udev/rules.d/99-disable-automount.rules << EOF
SUBSYSTEM=="block", ENV{UDISKS_IGNORE}="1"
EOF
# Reload udev rules
sudo udevadm control --reload-rules
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
