CVE-2021-43975 Overview
CVE-2021-43975 is an out-of-bounds write vulnerability in the Linux kernel through version 5.15.2. The flaw exists in the hw_atl_utils_fw_rpc_wait function within the Aquantia Atlantic network driver (drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c). An attacker with the ability to introduce a crafted device can exploit this vulnerability by providing a malicious length value, leading to memory corruption through an out-of-bounds write operation.
Critical Impact
This vulnerability allows an attacker with physical access or the ability to introduce crafted hardware devices to corrupt kernel memory, potentially leading to privilege escalation, denial of service, or arbitrary code execution in kernel context.
Affected Products
- Linux Kernel versions through 5.15.2
- Fedora 34 and 35
- Debian Linux 9.0 and 10.0
- NetApp Cloud Backup
- NetApp H500S, H700S, H300E, H500E, H700E, H410S, H410C (firmware and hardware)
Discovery Timeline
- 2021-11-17 - CVE-2021-43975 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-43975
Vulnerability Analysis
The vulnerability resides in the Aquantia Atlantic Ethernet driver, which is used to support Aquantia network interface cards. The affected function hw_atl_utils_fw_rpc_wait handles firmware remote procedure calls (RPC) and processes data from the network device hardware.
The core issue is a failure to properly validate a length value received from the device firmware before using it to perform memory operations. When a crafted device supplies a malicious length parameter, the driver uses this untrusted value to determine the bounds of a memory write operation. Since the length is not sanitized or validated against the actual buffer size, an attacker-controlled length can cause the driver to write beyond the allocated memory region.
This type of vulnerability is classified as CWE-787 (Out-of-bounds Write), which occurs when software writes data past the end, or before the beginning, of the intended buffer. In the kernel context, such memory corruption can have severe consequences including kernel panic, privilege escalation, or arbitrary code execution with kernel privileges.
Root Cause
The root cause is insufficient validation of device-supplied data in the hw_atl_utils_fw_rpc_wait function. The driver trusts the length value provided by the firmware without verifying it falls within acceptable bounds. This violates the security principle that all external input—including data from hardware devices—should be treated as untrusted and validated before use.
The specific issue occurs when the RPC wait function processes response data from the Aquantia NIC firmware. The firmware response includes a length field that indicates how much data should be copied. Without proper bounds checking, a crafted device can specify a length larger than the destination buffer, resulting in memory corruption.
Attack Vector
The attack requires local access with the ability to introduce or manipulate hardware devices. An attacker could exploit this vulnerability through several scenarios:
Physical Access: An attacker with physical access to the system could connect a malicious USB-to-Ethernet adapter or PCIe network card that emulates an Aquantia device and sends crafted firmware responses.
Virtualization/Cloud Environments: In virtualized environments where device passthrough is used, a compromised or malicious virtual device could exploit this vulnerability in the host kernel.
Supply Chain Attack: Compromised or counterfeit Aquantia network hardware could be pre-configured to exploit this vulnerability upon driver initialization.
The attack flow involves:
- Introducing a crafted device that identifies as an Aquantia Atlantic NIC
- The kernel loads the Atlantic driver and initializes communication with the device
- During firmware RPC operations, the malicious device returns a response with an oversized length value
- The driver performs an out-of-bounds write using the attacker-controlled length, corrupting adjacent kernel memory
Detection Methods for CVE-2021-43975
Indicators of Compromise
- Unexpected kernel panics or system crashes, particularly when network devices are connected or initialized
- Kernel log messages (dmesg) showing memory corruption errors related to the Atlantic or Aquantia driver modules
- Unexpected behavior in systems with Aquantia network interfaces, including network instability or driver errors
- KASAN (Kernel Address Sanitizer) reports indicating out-of-bounds memory access in hw_atl_utils.c
Detection Strategies
- Monitor kernel logs for Atlantic driver anomalies using dmesg | grep -i "atlantic\|aquantia\|hw_atl"
- Enable KASAN in development/testing environments to detect memory corruption attempts
- Implement hardware inventory monitoring to detect unauthorized or unknown network devices
- Use endpoint detection solutions to monitor for unusual kernel driver loading patterns or device enumeration events
Monitoring Recommendations
- Configure system logging to capture and centralize kernel messages for security analysis
- Implement hardware change detection alerts for new network device connections
- Deploy SentinelOne Singularity Platform with kernel-level visibility to detect exploitation attempts and memory corruption events
- Establish baseline network device configurations and alert on deviations
How to Mitigate CVE-2021-43975
Immediate Actions Required
- Update the Linux kernel to a patched version that includes commit b922f622592af76b57cbc566eaeccda0b31a3496
- Apply vendor-specific patches from Fedora, Debian, or NetApp as applicable to your environment
- Restrict physical access to systems with Aquantia network hardware
- In high-security environments, consider disabling the Atlantic driver if Aquantia NICs are not required
Patch Information
The vulnerability has been addressed in the upstream Linux kernel. The fix is available through the Linux Kernel Commit which adds proper bounds checking to the hw_atl_utils_fw_rpc_wait function.
Distribution-specific patches are available:
- Debian: Security updates detailed in Debian Security Advisory DSA-5096 and the Debian LTS Security Announcement
- Fedora: Updates available through the Fedora Package Announcement
- NetApp: Refer to the NetApp Security Advisory for affected products and firmware updates
Workarounds
- If patching is not immediately possible, blacklist the atlantic kernel module using echo "blacklist atlantic" >> /etc/modprobe.d/blacklist.conf if Aquantia NICs are not in use
- Implement strict physical security controls to prevent unauthorized hardware connections
- Use virtualization or containerization to isolate systems that require the Atlantic driver
- Monitor for and block unknown USB and PCIe devices using device control policies
# Configuration example to blacklist the Atlantic driver
echo "blacklist atlantic" | sudo tee /etc/modprobe.d/atlantic-blacklist.conf
sudo update-initramfs -u
# Verify the driver is blacklisted
cat /etc/modprobe.d/atlantic-blacklist.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
