Login Sign Up

CVE-2021-28375

7.8 HIGH

📋 TL;DR

This vulnerability in the Linux kernel allows user applications to send kernel RPC messages through the fastrpc driver, bypassing intended access controls. It affects Linux systems with kernel versions up to 5.11.6 that use the fastrpc driver. This is a privilege escalation vulnerability that could allow local attackers to gain elevated privileges.

💻 Affected Systems

Products:
  • Linux kernel
Versions: Linux kernel versions through 5.11.6
Operating Systems: Linux distributions using affected kernel versions
Default Config Vulnerable: ⚠️ Yes
Notes: Requires fastrpc driver to be present and accessible. Some distributions may not enable this driver by default.

📦 What is this software?

Cloud Backup by Netapp

View all CVEs affecting Cloud Backup →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Solidfire Baseboard Management Controller Firmware by Netapp

View all CVEs affecting Solidfire Baseboard Management Controller Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains root privileges, leading to complete system compromise, data theft, or installation of persistent malware.

🟠

Likely Case

Local user escalates privileges to gain unauthorized access to sensitive system resources or other user data.

🟢

If Mitigated

Attack fails due to proper access controls, SELinux/AppArmor policies, or lack of local access.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring existing local access.
🏢 Internal Only: MEDIUM - Internal users with shell access could exploit this to gain elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and knowledge of the fastrpc interface. This is related to CVE-2019-2308 which had similar exploitation patterns.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.11.7 and later

Vendor Advisory: https://git.kernel.org/linus/20c40794eb85ea29852d7bc37c55713802a543d6

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 5.11.7 or later. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable fastrpc module

linux

Prevent loading of the vulnerable fastrpc driver module

echo 'blacklist fastrpc' > /etc/modprobe.d/fastrpc-blacklist.conf
rmmod fastrpc

Restrict module loading

linux

Prevent unauthorized loading of kernel modules

echo 'kernel.modules_disabled=1' >> /etc/sysctl.conf
sysctl -p

🧯 If You Can't Patch

  • Implement strict access controls to prevent local users from executing arbitrary code
  • Use SELinux or AppArmor to restrict fastrpc driver access and contain potential privilege escalation

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r. If version is 5.11.6 or earlier, check if fastrpc module is loaded: lsmod | grep fastrpc

Check Version:

uname -r

Verify Fix Applied:

After update, verify kernel version is 5.11.7 or later: uname -r

📡 Detection & Monitoring

Log Indicators:

  • Unusual fastrpc driver activity in kernel logs
  • Failed module loading attempts for fastrpc
  • Unexpected privilege escalation events

Network Indicators:

  • None - this is a local vulnerability

SIEM Query:

source="kernel" AND ("fastrpc" OR "RPC message" OR "privilege escalation")

📊 Metadata

CVE ID: CVE-2021-28375
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
Published: March 15, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28375, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)