CVE-2021-23133

Published: 22 April 2021

A race condition in Linux kernel SCTP sockets (net/sctp/socket.c) before 5.12-rc8 can lead to kernel privilege escalation from the context of a network service or an unprivileged process. If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock then an element is removed from the auto_asconf_splist list without any proper locking. This can be exploited by an attacker with network service privileges to escalate to root or from the context of an unprivileged user directly if a BPF_CGROUP_INET_SOCK_CREATE is attached which denies creation of some SCTP socket.

From the Ubuntu security team

Or Cohen discovered that the SCTP implementation in the Linux kernel contained a race condition in some situations, leading to a use-after-free condition. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code.

Priority

Medium

CVSS 3 base score: 7.0

Status

Notes

commit b166a20b0738 "net/sctp: fix race condition in
sctp_destroy_sock" in net-next

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23133
• https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b166a20b07382b8bc1dcee2a448715c9c2c81b5b
• https://www.openwall.com/lists/oss-security/2021/04/18/2
• https://ubuntu.com/security/notices/USN-4997-1
• https://ubuntu.com/security/notices/USN-4999-1
• https://ubuntu.com/security/notices/USN-5000-1
• https://ubuntu.com/security/notices/USN-5001-1
• https://ubuntu.com/security/notices/USN-5003-1
• NVD
• Launchpad
• Debian