CVE-2021-3759 Overview
A memory overflow vulnerability was found in the Linux kernel's IPC functionality of the memcg subsystem. The flaw exists in the way a user calls the semget function multiple times, creating semaphores without proper resource accounting. This vulnerability allows a local user to starve system resources, causing a denial of service condition. The highest threat from this vulnerability is to system availability.
Critical Impact
Local attackers can exploit this vulnerability to exhaust system memory resources through repeated semaphore creation, leading to denial of service conditions affecting system availability.
Affected Products
- Linux Linux Kernel
- Debian Linux 10.0
Discovery Timeline
- 2022-08-23 - CVE CVE-2021-3759 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-3759
Vulnerability Analysis
This vulnerability represents a resource exhaustion flaw (CWE-400) combined with improper allocation of resources without limits (CWE-770) within the Linux kernel's memory control group (memcg) subsystem. The IPC mechanism responsible for managing System V semaphores fails to properly account for memory allocations when semaphores are created repeatedly.
When a local user invokes the semget system call multiple times to create semaphores, the kernel does not adequately track or limit the memory resources consumed by these operations within the memcg framework. This oversight allows an attacker to continuously allocate semaphores without proper resource constraints, eventually exhausting available system memory.
The vulnerability requires local access to the system and low privileges to exploit. No user interaction is required for successful exploitation, making it accessible to any authenticated local user.
Root Cause
The root cause lies in the incomplete integration between the IPC semaphore subsystem and the memcg memory accounting framework. When semaphores are allocated through semget, the associated kernel memory structures are not properly charged to the user's memory control group. This creates a blind spot in resource tracking, allowing unbounded resource consumption that bypasses memcg limits designed to prevent exactly this type of resource exhaustion attack.
Attack Vector
Exploitation occurs through repeated invocation of the semget system call from a local user context. The attacker creates numerous semaphores in rapid succession, each consuming kernel memory without proper accounting. Since the memory is not tracked against the user's cgroup limits, the attacker can continue allocating resources until system memory is exhausted, affecting all processes on the system and causing a denial of service condition.
The attack is straightforward to execute, requiring only basic programming knowledge to write a loop that continuously calls semget with appropriate parameters. No special privileges beyond standard local user access are required.
Detection Methods for CVE-2021-3759
Indicators of Compromise
- Unusually high number of semaphore allocations from a single user or process
- Rapid memory consumption by kernel IPC structures without corresponding memcg accounting
- System memory pressure alerts coinciding with high semget system call activity
- Processes creating excessive semaphores detected in /proc/sysvipc/sem
Detection Strategies
- Monitor semget system call frequency using auditd or syscall tracing mechanisms
- Implement alerts for abnormal semaphore creation rates per user or process
- Track kernel memory allocation patterns for IPC structures using kernel memory profiling tools
- Use SentinelOne's behavioral detection to identify resource exhaustion patterns
Monitoring Recommendations
- Enable system call auditing for semget operations to track semaphore creation activity
- Monitor /proc/sysvipc/sem for unusual growth in semaphore counts
- Configure memory pressure alerts to detect early signs of resource exhaustion
- Implement rate limiting for IPC resource creation at the application level where possible
How to Mitigate CVE-2021-3759
Immediate Actions Required
- Apply the latest kernel security updates from your Linux distribution vendor
- Review and restrict local user access to prevent unauthorized exploitation
- Implement resource limits using cgroups where possible to constrain IPC resource usage
- Monitor systems for signs of active exploitation attempts
Patch Information
Kernel patches addressing this vulnerability have been released. Organizations should consult their Linux distribution's security advisories for specific patch versions:
- Red Hat CVE-2021-3759 Advisory - Official Red Hat security guidance
- Red Hat Bug Report #1999675 - Detailed bug tracking information
- Debian LTS Security Announcement - Debian security updates
- Kernel Mailing List Thread - Original kernel patch discussion
Workarounds
- Restrict local system access to trusted users only until patches can be applied
- Implement system-wide semaphore limits using sysctl parameters such as kernel.sem
- Use SELinux or AppArmor policies to restrict semget system call access for untrusted processes
- Monitor and alert on excessive IPC resource creation as a compensating control
# Configuration example - Restrict semaphore limits
# Edit /etc/sysctl.conf or create /etc/sysctl.d/99-ipc-hardening.conf
sysctl -w kernel.sem="250 32000 32 128"
# Apply sysctl changes
sysctl -p
# Monitor current semaphore usage
ipcs -s
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
