CVE-2021-20271 – A vulnerability in RPM's signature verification... (How to Fix)

Q: What is the severity of CVE-2021-20271?

CVE-2021-20271 has a CVSS score of 7.0 (HIGH). A vulnerability in RPM's signature verification allows attackers to craft malicious packages that appear valid but corrupt the RPM database upon installation. This can lead to arbitrary code execution, compromising data integrity, confidentiality, and system availability. Systems using RPM package management on affected distributions are vulnerable.

📋 TL;DR

A vulnerability in RPM's signature verification allows attackers to craft malicious packages that appear valid but corrupt the RPM database upon installation. This can lead to arbitrary code execution, compromising data integrity, confidentiality, and system availability. Systems using RPM package management on affected distributions are vulnerable.

💻 Affected Systems

Products:

rpm

Versions: rpm versions before 4.16.1.3, 4.15.x before 4.15.1.1, 4.14.x before 4.14.3

Operating Systems: Fedora, RHEL, CentOS, other RPM-based Linux distributions

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems using RPM for package management with signature verification enabled. The vulnerability is in the signature header parsing logic.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution, RPM database corruption preventing package management, and persistent backdoor installation.

🟠

Likely Case

RPM database corruption causing system instability, package management failures, and potential privilege escalation if combined with other vulnerabilities.

🟢

If Mitigated

Limited to package installation failures if proper signature verification controls are enforced, though database corruption risk remains.

🌐 Internet-Facing: LOW - Requires user to install a malicious package, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Internal users with package installation privileges could exploit, but requires social engineering or compromised repositories.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires convincing a user to install a specially crafted RPM package. No public exploit code was found in references, but the vulnerability is well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: rpm 4.16.1.3, 4.15.1.1, or 4.14.3

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1934125

Restart Required: No

Instructions:

1. Update RPM package using your distribution's package manager. 2. For Fedora: 'sudo dnf update rpm'. 3. For RHEL/CentOS: 'sudo yum update rpm'. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable RPM signature verification

linux

Temporarily disable signature checking for RPM packages (NOT RECOMMENDED for production).

rpm --nosignature -i package.rpm

Use package manager with --nogpgcheck

linux

Install packages without GPG signature verification using package manager flags.

dnf install --nogpgcheck package
yum install --nogpgcheck package

🧯 If You Can't Patch

Restrict RPM package installation to trusted sources only and verify checksums independently.
Implement strict access controls to prevent unauthorized users from installing RPM packages.

🔍 How to Verify

Check if Vulnerable:

Check RPM version: 'rpm --version'. If version is below 4.16.1.3, 4.15.1.1, or 4.14.3, system is vulnerable.

Check Version:

rpm --version | head -1

Verify Fix Applied:

Run 'rpm --version' and confirm version is 4.16.1.3, 4.15.1.1, 4.14.3 or higher. Test installing a signed package to ensure no corruption occurs.

📡 Detection & Monitoring

Log Indicators:

RPM database corruption errors in system logs
Failed package installations with signature verification errors
Unexpected RPM process crashes

Network Indicators:

Downloads of RPM packages from untrusted sources
Unusual outbound connections after package installation

SIEM Query:

source="systemd-journald" AND ("rpm" AND ("corrupt" OR "signature" OR "verification failed"))

📊 Metadata

CVE ID: CVE-2021-20271

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-345

Published: March 26, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1934125 Issue Tracking,Patch,Third Party Advisory
https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21 Patch,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMGXO3W6DHPO62GJ4VVF5DEUX5DRUR5K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHRPNBCRPDJHHQE3MBPSZK4H7X2IM7AC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILPBTPSBRYL4POBI3F4YUSVPSOQNJBY/
https://security.gentoo.org/glsa/202107-43 Third Party Advisory
https://www.starwindsoftware.com/security/sw-20220805-0002/ Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1934125 Issue Tracking,Patch,Third Party Advisory
https://github.com/rpm-software-management/rpm/commit/d6a86b5e69e46cc283b1e06c92343319beb42e21 Patch,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TMGXO3W6DHPO62GJ4VVF5DEUX5DRUR5K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHRPNBCRPDJHHQE3MBPSZK4H7X2IM7AC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILPBTPSBRYL4POBI3F4YUSVPSOQNJBY/
https://security.gentoo.org/glsa/202107-43 Third Party Advisory
https://www.starwindsoftware.com/security/sw-20220805-0002/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20271, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Enterprise Linux by Redhat

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Rpm by Rpm

Rpm by Rpm

Rpm by Rpm

Rpm by Rpm

Rpm by Rpm

Rpm by Rpm

Rpm by Rpm

Rpm by Rpm

Rpm by Rpm

Starwind Virtual San by Starwindsoftware

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable RPM signature verification

Use package manager with --nogpgcheck

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities