Login Sign Up

CVE-2021-3321

7.5 HIGH
Buffer Overflow

📋 TL;DR

This CVE describes an integer underflow vulnerability in Zephyr's IEEE 802.15.4 fragment reassembly header removal code. When exploited, it can lead to buffer overflow, potentially allowing remote code execution or denial of service. Affects Zephyr RTOS users implementing IEEE 802.15.4 wireless networking.

💻 Affected Systems

Products:
  • Zephyr RTOS
Versions: >=2.4.0
Operating Systems: Zephyr RTOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems using IEEE 802.15.4 (Zigbee/Thread/6LoWPAN) networking with fragment reassembly enabled.

📦 What is this software?

Zephyr by Zephyrproject

View all CVEs affecting Zephyr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains arbitrary code execution on affected Zephyr devices, potentially taking full control of IoT/embedded systems.

🟠

Likely Case

Denial of service through system crashes or instability in affected wireless networking functionality.

🟢

If Mitigated

Limited impact with proper network segmentation and device isolation, potentially only affecting specific wireless functionality.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Requires sending specially crafted IEEE 802.15.4 packets to trigger the integer underflow during fragment reassembly.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in Zephyr v2.5.0 and later

Vendor Advisory: https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-w44j-66g7-xw99

Restart Required: Yes

Instructions:

1. Update Zephyr RTOS to version 2.5.0 or later. 2. Rebuild and redeploy firmware to affected devices. 3. Verify IEEE 802.15.4 functionality post-update.

🔧 Temporary Workarounds

Disable IEEE 802.15.4 Fragment Reassembly

all

Disable fragment reassembly in IEEE 802.15.4 configuration if not required for your application.

Set CONFIG_IEEE802154_FRAGMENT_REASSEMBLY=n in prj.conf

Network Segmentation

all

Isolate IEEE 802.15.4 networks from untrusted networks and implement strict firewall rules.

🧯 If You Can't Patch

  • Implement strict network segmentation for IEEE 802.15.4 traffic
  • Deploy network monitoring for anomalous IEEE 802.15.4 packet patterns

🔍 How to Verify

Check if Vulnerable:

Check Zephyr version and IEEE 802.15.4 configuration: if version >=2.4.0 and CONFIG_IEEE802154_FRAGMENT_REASSEMBLY=y, system is vulnerable.

Check Version:

Check Zephyr version in build configuration or use Zephyr shell command 'kernel version' if available.

Verify Fix Applied:

Verify Zephyr version is >=2.5.0 and check that IEEE 802.15.4 functionality works correctly after update.

📡 Detection & Monitoring

Log Indicators:

  • Kernel panics
  • IEEE 802.15.4 subsystem crashes
  • Unexpected reboots

Network Indicators:

  • Malformed IEEE 802.15.4 fragments
  • Unusual fragment reassembly patterns

SIEM Query:

Search for: (event_source:"zephyr_kernel" AND (event_type:"panic" OR event_type:"crash")) OR (protocol:"802.15.4" AND fragment_count > threshold)

📊 Metadata

CVE ID: CVE-2021-3321
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H
CWE: CWE-680
Published: October 12, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3321, you might also want to check these:

CVE-2020-13576 9.8

A remote code execution vulnerability exists in the WS-Addressing plugin of Genivia gSOAP 2.8.107. A...

Same vulnerability type (CWE-680)
CVE-2021-21783 9.8

This vulnerability allows remote code execution in Genivia gSOAP's WS-Addressing plugin. Attackers c...

Same vulnerability type (CWE-680)
CVE-2024-33078 9.8

CVE-2024-33078 is a critical buffer overflow vulnerability in Tencent Libpag v4.3 that allows remote...

Same vulnerability type (CWE-680)