CVE-2021-23134 – This CVE describes a Use After Free vulnerabili... (How to Fix)

Q: What is the severity of CVE-2021-23134?

CVE-2021-23134 has a CVSS score of 7.8 (HIGH). This CVE describes a Use After Free vulnerability in NFC sockets in the Linux Kernel that allows local attackers with CAP_NET_RAW capability to escalate privileges. It affects Linux Kernel versions before 5.12.4. In typical configurations, only privileged local users can trigger this issue.

📋 TL;DR

This CVE describes a Use After Free vulnerability in NFC sockets in the Linux Kernel that allows local attackers with CAP_NET_RAW capability to escalate privileges. It affects Linux Kernel versions before 5.12.4. In typical configurations, only privileged local users can trigger this issue.

💻 Affected Systems

Products:

Linux Kernel

Versions: All versions before 5.12.4

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires CAP_NET_RAW capability to exploit. NFC functionality must be present in kernel configuration.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to root, allowing complete system compromise.

🟠

Likely Case

Privileged local user gains root access, enabling installation of malware, data theft, or persistence mechanisms.

🟢

If Mitigated

Limited impact if CAP_NET_RAW capability is restricted and proper access controls are enforced.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring local access to exploit.

🏢 Internal Only: HIGH - Local users with CAP_NET_RAW capability can exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and CAP_NET_RAW capability. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux Kernel 5.12.4 and later

Vendor Advisory: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c61760e6940d

Restart Required: Yes

Instructions:

1. Update Linux Kernel to version 5.12.4 or later. 2. Reboot the system to load the new kernel. 3. Verify the kernel version after reboot.

🔧 Temporary Workarounds

Remove CAP_NET_RAW capability

linux

Remove CAP_NET_RAW capability from users and processes that don't require it to prevent exploitation.

setcap -r /path/to/binary
capsh --drop=cap_net_raw -- -c 'command'

Disable NFC kernel module

linux

Disable NFC functionality if not required by unloading the kernel module.

rmmod nfc
echo 'blacklist nfc' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

Restrict CAP_NET_RAW capability to only essential users and processes
Implement strict access controls and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check kernel version with 'uname -r'. If version is earlier than 5.12.4, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

After patching, verify kernel version is 5.12.4 or later with 'uname -r'.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs
System crash dumps
Unexpected privilege escalation in audit logs

Network Indicators:

None - this is a local vulnerability

SIEM Query:

Search for kernel version strings earlier than 5.12.4 in system inventory data

📊 Metadata

CVE ID: CVE-2021-23134

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: May 12, 2021

Last Updated: November 21, 2024

🔗 References

https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c61760e6940d Mailing List,Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZYORWNQIHNWRFYRDXBWYWBYM46PDZEN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QALNQT4LJFVSSA3MWCIECVY4AFPP4X77/
https://security.netapp.com/advisory/ntap-20210625-0007/ Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/05/11/4 Mailing List,Patch,Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=c61760e6940d Mailing List,Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LZYORWNQIHNWRFYRDXBWYWBYM46PDZEN/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QALNQT4LJFVSSA3MWCIECVY4AFPP4X77/
https://security.netapp.com/advisory/ntap-20210625-0007/ Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/05/11/4 Mailing List,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-23134, you might also want to check these: