CVE-2021-20322

Q: What is the severity of CVE-2021-20322?

CVE-2021-20322 has a CVSS score of 7.4 (HIGH). This Linux kernel vulnerability allows remote attackers to bypass UDP source port randomization by exploiting flaws in ICMP error processing. Attackers can scan open UDP ports more effectively, compromising confidentiality and potentially integrity of systems relying on UDP randomization. All Linux systems with affected kernel versions are vulnerable.

7.4 HIGH

📋 TL;DR

This Linux kernel vulnerability allows remote attackers to bypass UDP source port randomization by exploiting flaws in ICMP error processing. Attackers can scan open UDP ports more effectively, compromising confidentiality and potentially integrity of systems relying on UDP randomization. All Linux systems with affected kernel versions are vulnerable.

💻 Affected Systems

Products:

Linux kernel

Versions: Versions before 5.15-rc6 with specific commits not applied

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: All default Linux configurations with affected kernel versions are vulnerable. The vulnerability affects both IPv4 and IPv6 implementations.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Solidfire \& Hci Management Node by Netapp

View all CVEs affecting Solidfire \& Hci Management Node →

Solidfire\, Enterprise Sds \& Hci Storage Node by Netapp

View all CVEs affecting Solidfire\, Enterprise Sds \& Hci Storage Node →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map all open UDP ports on vulnerable systems, enabling targeted attacks against services that rely on UDP port randomization for security, potentially leading to service compromise or data exfiltration.

🟠

Likely Case

Remote attackers performing network reconnaissance can more efficiently discover open UDP ports, reducing the effectiveness of UDP-based security mechanisms and exposing vulnerable services.

🟢

If Mitigated

With proper patching and network controls, the risk is minimal as the vulnerability only enables reconnaissance, not direct code execution or privilege escalation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access and knowledge of the target's IP address. The technique is well-documented in security research but no public exploit code is widely available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.15-rc6 and later with specific commits applied

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2014230

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 5.15-rc6 or later. 2. Apply specific kernel commits: 4785305c05b2, 6457378fe796, 67d6d681e15b, a00df2caffed. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable ICMP redirect acceptance

linux

Prevents processing of ICMP redirect messages that could be exploited

sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.all.accept_redirects=0

Rate limit ICMP errors

linux

Limits the rate at which ICMP errors are processed

sysctl -w net.ipv4.icmp_ratelimit=100
sysctl -w net.ipv4.icmp_ratemask=0

🧯 If You Can't Patch

Implement strict network segmentation to limit exposure to untrusted networks
Deploy network-based intrusion detection systems to monitor for UDP port scanning activities

🔍 How to Verify

Check if Vulnerable:

Check kernel version with 'uname -r' and compare against patched versions. Review if specific kernel commits are present in /proc/version.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is 5.15-rc6 or later and check that sysctl settings for ICMP redirects are disabled.

📡 Detection & Monitoring

Log Indicators:

Unusual ICMP error message frequency in kernel logs
Increased UDP port scan activity in firewall logs

Network Indicators:

Rapid ICMP redirect/fragmentation needed messages to UDP ports
Unusual UDP traffic patterns suggesting port scanning

SIEM Query:

source_port:udp AND (icmp.type:3 OR icmp.type:5) AND event_count > threshold

📊 Metadata

CVE ID: CVE-2021-20322

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-330

Published: February 18, 2022

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=2014230 Issue Tracking,Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.15-rc6&id=4785305c05b25a242e5314cc821f54ade4c18810 Mailing List,Patch,Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.15-rc6&id=6457378fe796815c973f631a1904e147d6ee33b1 Mailing List,Patch,Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/ipv4/route.c?h=v5.15-rc6&id=67d6d681e15b578c1725bad8ad079e05d1c48a8e Mailing List,Patch,Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/ipv6/route.c?h=v5.15-rc6&id=a00df2caffed3883c341d5685f830434312e4a43 Mailing List,Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220303-0002/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5096 Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2014230 Issue Tracking,Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.15-rc6&id=4785305c05b25a242e5314cc821f54ade4c18810 Mailing List,Patch,Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h=v5.15-rc6&id=6457378fe796815c973f631a1904e147d6ee33b1 Mailing List,Patch,Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/ipv4/route.c?h=v5.15-rc6&id=67d6d681e15b578c1725bad8ad079e05d1c48a8e Mailing List,Patch,Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/ipv6/route.c?h=v5.15-rc6&id=a00df2caffed3883c341d5685f830434312e4a43 Mailing List,Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220303-0002/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5096 Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Active Iq Unified Manager by Netapp

Aff A700s Firmware by Netapp

Aff Baseboard Management Controller Firmware by Netapp

Communications Cloud Native Core Binding Support Function by Oracle

Communications Cloud Native Core Network Exposure Function by Oracle

Communications Cloud Native Core Policy by Oracle

Debian Linux by Debian

Debian Linux by Debian

E Series Santricity Os Controller by Netapp

Fas Baseboard Management Controller Firmware by Netapp

Fas Baseboard Management Controller Firmware by Netapp

Fedora by Fedoraproject

H300e Firmware by Netapp

H300s Firmware by Netapp

H410s Firmware by Netapp

H500e Firmware by Netapp

H500s Firmware by Netapp

H700e Firmware by Netapp

H700s Firmware by Netapp

Hci Compute Node Firmware by Netapp