CVE-2021-45095 Overview
CVE-2021-45095 is a memory leak vulnerability in the Linux kernel's Phonet protocol implementation. The flaw exists in the pep_sock_accept function within net/phonet/pep.c, where a reference count leak occurs during socket acceptance operations. This vulnerability affects Linux kernel versions through 5.15.8 and allows local attackers to potentially leak sensitive information from kernel memory.
Critical Impact
Local attackers with low privileges can exploit this reference count leak to potentially access sensitive information from kernel memory, compromising system confidentiality.
Affected Products
- Linux Kernel (versions through 5.15.8)
- Debian Linux 9.0
- Debian Linux 10.0
- Debian Linux 11.0
Discovery Timeline
- December 16, 2021 - CVE-2021-45095 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-45095
Vulnerability Analysis
This vulnerability is classified as an information exposure issue (CWE-200) stemming from improper reference counting in the Linux kernel's Phonet protocol stack. The Phonet protocol is a packet-oriented network protocol used primarily in Nokia cellular modems for communication between the modem and application processor.
The flaw occurs in the pep_sock_accept function, which handles socket acceptance for Phonet Pipe End Point (PEP) connections. When the pep_accept_conn function fails and returns an error, the code path fails to properly decrement the reference count on the parent socket before proceeding to error handling. This creates a reference count leak that can be exploited by local attackers.
Reference count leaks are particularly dangerous in kernel code because they can lead to memory disclosure, denial of service through resource exhaustion, or in some cases, use-after-free conditions when reference counts underflow in subsequent operations.
Root Cause
The root cause is a missing __sock_put(sk) call in the error handling path of pep_sock_accept. When pep_accept_conn() returns an error, the function correctly puts the new socket reference but fails to release the reference on the parent socket (sk) that was acquired earlier in the function. This asymmetric reference counting leads to the leak.
Attack Vector
The attack requires local access to the system with low privileges. An attacker would need to:
- Create Phonet protocol sockets on the target system
- Trigger the error condition in pep_sock_accept by manipulating connection acceptance
- Repeatedly trigger the vulnerability to leak kernel memory references
- Potentially extract sensitive information from the leaked memory
The following patch addresses the reference count leak by adding the missing socket put operation:
err = pep_accept_conn(newsk, skb);
if (err) {
+ __sock_put(sk);
sock_put(newsk);
newsk = NULL;
goto drop;
Source: GitHub Linux Commit
Detection Methods for CVE-2021-45095
Indicators of Compromise
- Unusual Phonet protocol socket activity from unprivileged processes
- Increasing kernel memory allocation without corresponding deallocation in the Phonet subsystem
- Abnormal patterns of socket accept failures on Phonet endpoints
- Memory leak warnings or OOM (Out of Memory) conditions related to network subsystems
Detection Strategies
- Monitor for processes attempting to create Phonet protocol sockets, especially from non-system users
- Implement kernel memory tracking to detect reference count anomalies in network subsystems
- Use kernel debugging tools like kmemleak to identify memory leaks in the net/phonet/ code path
- Deploy endpoint detection solutions capable of monitoring kernel-level socket operations
Monitoring Recommendations
- Enable kernel auditing for socket syscalls, particularly those involving the Phonet protocol family (AF_PHONET)
- Monitor /proc/slabinfo for abnormal growth in socket-related slab caches
- Implement alerting on repeated socket accept failures that may indicate exploitation attempts
- Review system logs for Phonet-related kernel warnings or errors
How to Mitigate CVE-2021-45095
Immediate Actions Required
- Update the Linux kernel to a patched version that includes commit bcd0f93353326954817a4f9fa55ec57fb38acbb0
- Apply distribution-specific security patches from Debian or your Linux vendor
- If patching is not immediately possible, consider disabling the Phonet protocol module if not required
- Restrict local user access and review user privileges to limit attack surface
Patch Information
The vulnerability has been addressed through official kernel commits and distribution security advisories:
- Linux Kernel Commit - Official kernel fix
- GitHub Linux Commit - Mirror of the patch
- Debian Security Advisory DSA-5050 - Debian stable security update
- Debian Security Advisory DSA-5096 - Additional Debian security update
Workarounds
- Disable the Phonet protocol kernel module if not required for system operation
- Restrict access to create Phonet sockets using Linux Security Modules (SELinux/AppArmor)
- Implement mandatory access controls to limit which processes can interact with the Phonet subsystem
- Monitor and limit local user access to reduce the attack surface for this local vulnerability
# Disable Phonet kernel module if not needed
echo "blacklist phonet" >> /etc/modprobe.d/blacklist-phonet.conf
echo "blacklist pn_pep" >> /etc/modprobe.d/blacklist-phonet.conf
# Remove the module if currently loaded
modprobe -r pn_pep
modprobe -r phonet
# Verify module is not loaded
lsmod | grep phonet
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
