CVE-2021-43267 Overview
CVE-2021-43267 is a critical remote code execution vulnerability discovered in the Linux kernel's Transparent Inter-Process Communication (TIPC) functionality. The flaw exists in net/tipc/crypto.c where insufficient validation of user-supplied sizes for the MSG_CRYPTO message type allows remote attackers to potentially execute arbitrary code or cause denial of service conditions on affected systems.
The TIPC protocol is designed to provide reliable, unicast and multicast communication between nodes in a cluster. When processing cryptographic key exchange messages, the kernel failed to properly validate the size of incoming data, creating an exploitable condition that could be triggered remotely over the network without any authentication or user interaction.
Critical Impact
Remote attackers can exploit this vulnerability to achieve arbitrary code execution with kernel privileges on vulnerable Linux systems running TIPC, potentially leading to complete system compromise.
Affected Products
- Linux Kernel versions before 5.14.16
- Fedora 34 and Fedora 35
- NetApp H300S, H500S, H700S, H300E, H500E, H700E, and H410S firmware
Discovery Timeline
- November 2, 2021 - CVE-2021-43267 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-43267
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-1284) in the TIPC cryptographic message handling code. When the Linux kernel processes MSG_CRYPTO messages used for key exchange between TIPC nodes, it fails to adequately validate the size fields provided in the message structure before allocating memory and processing the data.
The vulnerable code path accepts a size value from the incoming network packet and uses it directly without verifying that:
- The size meets minimum requirements for a valid TIPC AEAD key structure
- The keylen value matches the declared packet size
- The keylen does not exceed the maximum allowed key size (TIPC_AEAD_KEY_SIZE_MAX)
This allows an attacker to supply malformed MSG_CRYPTO messages with manipulated size values, potentially triggering heap-based buffer overflows, memory corruption, or other exploitable conditions when the kernel attempts to allocate and copy the malformed key data.
Root Cause
The root cause is the absence of proper bounds checking on the size and keylen values extracted from network-supplied MSG_CRYPTO messages in net/tipc/crypto.c. The kernel trusted these user-controllable values without verification, allowing attackers to manipulate memory allocation and data copy operations.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can craft malicious TIPC MSG_CRYPTO packets with invalid size parameters and send them to a target system with TIPC enabled. The vulnerability is exploitable from an adjacent network or potentially across routed networks where TIPC traffic is permitted.
u16 key_gen = msg_key_gen(hdr);
u16 size = msg_data_sz(hdr);
u8 *data = msg_data(hdr);
+ unsigned int keylen;
+
+ /* Verify whether the size can exist in the packet */
+ if (unlikely(size < sizeof(struct tipc_aead_key) + TIPC_AEAD_KEYLEN_MIN)) {
+ pr_debug("%s: message data size is too small\n", rx->name);
+ goto exit;
+ }
+
+ keylen = ntohl(*((__be32 *)(data + TIPC_AEAD_ALG_NAME)));
+
+ /* Verify the supplied size values */
+ if (unlikely(size != keylen + sizeof(struct tipc_aead_key) ||
+ keylen > TIPC_AEAD_KEY_SIZE_MAX)) {
+ pr_debug("%s: invalid MSG_CRYPTO key size\n", rx->name);
+ goto exit;
+ }
spin_lock(&rx->lock);
if (unlikely(rx->skey || (key_gen == rx->key_gen && rx->key.keys))) {
pr_err("%s: key existed <%p>, gen %d vs %d\n", rx->name,
rx->skey, key_gen, rx->key_gen);
- goto exit;
+ goto exit_unlock;
}
/* Allocate memory for the key */
skey = kmalloc(size, GFP_ATOMIC);
Source: Linux Kernel Security Commit
The patch adds proper validation checks to ensure the message data size meets minimum requirements and that the keylen field is consistent with the overall packet size before proceeding with memory allocation.
Detection Methods for CVE-2021-43267
Indicators of Compromise
- Unusual TIPC traffic patterns, particularly malformed MSG_CRYPTO messages with inconsistent size values
- Kernel crashes or oops messages referencing net/tipc/crypto.c or TIPC-related functions
- Unexpected memory allocation failures or heap corruption signatures in kernel logs
- Systems exhibiting signs of kernel-level compromise following TIPC network activity
Detection Strategies
- Monitor kernel logs for TIPC-related errors, crashes, or debug messages indicating invalid MSG_CRYPTO key sizes
- Deploy network intrusion detection systems (IDS) with signatures for malformed TIPC packets targeting the MSG_CRYPTO message type
- Implement kernel live patching monitoring to track systems that have not received the security update
- Use endpoint detection solutions like SentinelOne to detect anomalous kernel behavior and potential exploitation attempts
Monitoring Recommendations
- Enable TIPC debug logging where feasible to capture validation failures and potential exploitation attempts
- Monitor for unexpected kernel module loading or process execution following TIPC traffic processing
- Track systems running vulnerable kernel versions (before 5.14.16) with TIPC enabled in production environments
- Implement network segmentation monitoring to detect lateral movement attempts following potential compromise
How to Mitigate CVE-2021-43267
Immediate Actions Required
- Update Linux kernel to version 5.14.16 or later immediately on all affected systems
- If patching is not immediately possible, disable the TIPC kernel module on systems that do not require it
- Implement network-level filtering to block TIPC traffic (UDP/TCP port 6118) from untrusted sources
- Audit systems with TIPC enabled to assess exposure and prioritize patching
Patch Information
The vulnerability was addressed in Linux kernel version 5.14.16. The security fix (commit fa40d9734a57bcbfa79a280189799f76c88f7bb0) adds proper size validation checks before processing MSG_CRYPTO messages. Organizations should update to the patched kernel version through their distribution's package manager or by compiling from source.
For additional details, refer to the Linux Kernel ChangeLog for 5.14.16 and the official security commit.
Fedora users should apply updates referenced in the Fedora Package Announcements. NetApp customers should consult NetApp Security Advisory NTAP-20211125-0002 for firmware updates.
Workarounds
- Disable the TIPC kernel module if not required: modprobe -r tipc and blacklist it from loading
- Implement firewall rules to block TIPC traffic from untrusted network segments
- Use network segmentation to isolate systems requiring TIPC from general network access
- Consider containerization or VM isolation for workloads requiring TIPC until patching is complete
# Disable TIPC module and prevent automatic loading
sudo modprobe -r tipc
echo "blacklist tipc" | sudo tee /etc/modprobe.d/blacklist-tipc.conf
echo "install tipc /bin/false" | sudo tee -a /etc/modprobe.d/blacklist-tipc.conf
# Block TIPC traffic at firewall (if module cannot be disabled)
sudo iptables -A INPUT -p udp --dport 6118 -j DROP
sudo iptables -A INPUT -p tcp --dport 6118 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
