DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2021-43267: The TIPC Titanic: Sinking the Linux Kernel with a Heap Overflow (CVE-2021-43267)

#security #cve #cybersecurity

The TIPC Titanic: Sinking the Linux Kernel with a Heap Overflow (CVE-2021-43267)

Vulnerability ID: CVE-2021-43267
CVSS Score: 9.8
Published: 2021-11-02

A massive heap overflow in the Linux Kernel's Transparent Inter-Process Communication (TIPC) protocol allows attackers to write arbitrary data past the end of an allocated buffer. Because the vulnerability resides in the message crypto handling, it can be triggered both locally and remotely (if the port is exposed). This isn't just a denial of service; it's a golden ticket to Ring 0, allowing full system compromise via a classic 'copy-first, check-later' logic error.

TL;DR

Critical heap overflow in Linux Kernel TIPC module. Attackers can remotely (or locally) exploit a logic flaw in crypto key exchange to overwrite kernel heap memory. This leads to arbitrary code execution as root. Fixed in 5.14.16.

⚠️ Exploit Status: WEAPONIZED

Technical Details

  • CWE ID: CWE-122 (Heap-based Buffer Overflow)
  • CVSS v3.1: 9.8 (Critical)
  • Attack Vector: Network (UDP/TIPC)
  • Exploit Reliability: High (Elastic Object Spray)
  • EPSS Score: 72.62%
  • Privilege Required: None (Remote) / Low (Local)

Affected Systems

  • Linux Kernel 4.8 - 5.14.15
  • Fedora 34
  • Fedora 35
  • NetApp HCI (Compute Node)
  • NetApp SolidFire
  • Unpatched Container Hosts
  • Linux Kernel: >= 4.8, < 5.14.16 (Fixed in: 5.14.16)

Code Analysis

Commit: fa40d97

tipc: validate msg_crypto key length

@@ -243,6 +243,11 @@ static int tipc_crypto_key_rcv(struct tipc_crypto *rx, struct tipc_msg *hdr)

    /* Validate key length */
+   keylen = ntohl(*((__be32 *)(data + TIPC_AEAD_ALG_NAME)));
+   if (unlikely(size != keylen + sizeof(struct tipc_aead_key) ||
+            keylen > TIPC_AEAD_KEY_SIZE_MAX)) {
+       return -1;
+   }
+
    skey = kmalloc(size, GFP_ATOMIC);
    if (!skey) {
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Full LPE exploit code by bl4sty targeting modprobe_path
  • SentinelOne: Original research and discovery blog post

Mitigation Strategies

  • Update Linux Kernel to version 5.14.16 or later.
  • Blacklist the 'tipc' kernel module if not in use.
  • Block UDP port 6118 at the network perimeter.
  • Restrict access to Netlink sockets to trusted users.

Remediation Steps:

  1. Check current kernel version: uname -r
  2. Update system packages: apt-get update && apt-get dist-upgrade (or equivalent)
  3. Verify the TIPC module is not loaded: lsmod | grep tipc
  4. Reboot the system to apply kernel updates.

References

Read the full report for CVE-2021-43267 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)