CVE-2021-3609

Q: What is the severity of CVE-2021-3609?

CVE-2021-3609 has a CVSS score of 7.0 (HIGH). CVE-2021-3609 is a race condition vulnerability in the Linux kernel's CAN BCM networking protocol that allows local attackers to corrupt memory and potentially escalate privileges to root. This affects Linux systems with CAN bus support enabled, primarily impacting embedded systems, automotive systems, and industrial control systems using CAN networking.

7.0 HIGH

📋 TL;DR

CVE-2021-3609 is a race condition vulnerability in the Linux kernel's CAN BCM networking protocol that allows local attackers to corrupt memory and potentially escalate privileges to root. This affects Linux systems with CAN bus support enabled, primarily impacting embedded systems, automotive systems, and industrial control systems using CAN networking.

💻 Affected Systems

Products:

Linux kernel

Versions: Linux kernel versions before 5.13-rc1

Operating Systems: Linux distributions with vulnerable kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if CAN bus subsystem is enabled and configured. Many desktop/server distributions don't enable CAN by default.

📦 What is this software?

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions by Redhat

View all CVEs affecting Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions →

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions by Redhat

View all CVEs affecting Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions →

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions by Redhat

View all CVEs affecting Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions →

Enterprise Linux Server Tus by Redhat

View all CVEs affecting Enterprise Linux Server Tus →

Enterprise Linux Server Tus by Redhat

View all CVEs affecting Enterprise Linux Server Tus →

Enterprise Linux Server Update Services For Sap Solutions by Redhat

View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →

Enterprise Linux Server Update Services For Sap Solutions by Redhat

View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →

Enterprise Linux Server Update Services For Sap Solutions by Redhat

View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →

H300e Firmware by Netapp

View all CVEs affecting H300e Firmware →

H300s Firmware by Netapp

View all CVEs affecting H300s Firmware →

H410c Firmware by Netapp

View all CVEs affecting H410c Firmware →

H410s Firmware by Netapp

View all CVEs affecting H410s Firmware →

H500e Firmware by Netapp

View all CVEs affecting H500e Firmware →

H500s Firmware by Netapp

View all CVEs affecting H500s Firmware →

H610c Firmware by Netapp

View all CVEs affecting H610c Firmware →

H610s Firmware by Netapp

View all CVEs affecting H610s Firmware →

H615c Firmware by Netapp

View all CVEs affecting H615c Firmware →

H700e Firmware by Netapp

View all CVEs affecting H700e Firmware →

H700s Firmware by Netapp

View all CVEs affecting H700s Firmware →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

Virtualization by Redhat

View all CVEs affecting Virtualization →

Virtualization Host by Redhat

View all CVEs affecting Virtualization Host →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root privilege escalation leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Local privilege escalation allowing attackers to gain root access on vulnerable systems, potentially leading to lateral movement within networks.

🟢

If Mitigated

Limited impact if systems have proper access controls, minimal local user accounts, and CAN networking disabled where not needed.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access to the system.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts can exploit this to gain root privileges on affected systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and knowledge of race condition timing. Public proof-of-concept code exists on GitHub.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.13-rc1 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1971651

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 5.13-rc1 or later. 2. For distributions: Use package manager (apt/yum/dnf) to update kernel package. 3. Reboot system after update.

🔧 Temporary Workarounds

Disable CAN subsystem

linux

Remove CAN kernel modules to prevent exploitation

sudo modprobe -r can_raw
sudo modprobe -r can
sudo modprobe -r can_bcm
echo 'blacklist can' | sudo tee /etc/modprobe.d/blacklist-can.conf

Restrict CAN socket access

linux

Use Linux capabilities to restrict who can create CAN sockets

sudo setcap -r /bin/ip
sudo setcap cap_net_raw-ep /bin/ip

🧯 If You Can't Patch

Disable CAN subsystem modules if not required for system functionality
Implement strict access controls and limit local user accounts on affected systems

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r and compare to affected versions. Check if CAN modules are loaded: lsmod | grep -i can

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is 5.13-rc1 or later: uname -r. Check that CAN modules are either updated or disabled.

📡 Detection & Monitoring

Log Indicators:

Kernel oops messages related to CAN or memory corruption
Unexpected privilege escalation events in audit logs
Failed CAN socket creation attempts from non-privileged users

Network Indicators:

CAN bus traffic anomalies if monitoring industrial networks

SIEM Query:

source="kernel" AND ("CAN" OR "bcm" OR "race condition") OR event_type="privilege_escalation" AND process_name="exploit"

📊 Metadata

CVE ID: CVE-2021-3609

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-362

Published: March 3, 2022

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1971651 Issue Tracking,Third Party Advisory
https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-3609/cve-2021-3609.md Exploit,Technical Description,Third Party Advisory
https://github.com/torvalds/linux/commit/d5f9023fa61ee8b94f37a93f08e94b136cf1e463 Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220419-0004/ Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/06/19/1 Mailing List,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1971651 Issue Tracking,Third Party Advisory
https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-3609/cve-2021-3609.md Exploit,Technical Description,Third Party Advisory
https://github.com/torvalds/linux/commit/d5f9023fa61ee8b94f37a93f08e94b136cf1e463 Patch,Third Party Advisory
https://security.netapp.com/advisory/ntap-20220419-0004/ Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/06/19/1 Mailing List,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

3scale Api Management by Redhat

Build Of Quarkus by Redhat

Codeready Linux Builder Eus by Redhat

Codeready Linux Builder Eus by Redhat

Codeready Linux Builder Eus by Redhat

Codeready Linux Builder For Power Little Endian Eus by Redhat

Codeready Linux Builder For Power Little Endian Eus by Redhat

Codeready Linux Builder For Power Little Endian Eus by Redhat

Enterprise Linux Aus by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux For Ibm Z Systems Eus by Redhat

Enterprise Linux For Ibm Z Systems Eus S390x by Redhat

Enterprise Linux For Power Little Endian Eus by Redhat

Enterprise Linux For Power Little Endian Eus by Redhat

Enterprise Linux For Power Little Endian Eus by Redhat

Enterprise Linux For Real Time by Redhat

Enterprise Linux For Real Time For Nfv by Redhat

Enterprise Linux For Real Time For Nfv Tus by Redhat

Enterprise Linux For Real Time For Nfv Tus by Redhat

Enterprise Linux For Real Time Tus by Redhat

Enterprise Linux For Real Time Tus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions by Redhat

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions by Redhat

Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Server Update Services For Sap Solutions by Redhat

Enterprise Linux Server Update Services For Sap Solutions by Redhat

Enterprise Linux Server Update Services For Sap Solutions by Redhat

H300e Firmware by Netapp

H300s Firmware by Netapp

H410c Firmware by Netapp

H410s Firmware by Netapp

H500e Firmware by Netapp

H500s Firmware by Netapp

H610c Firmware by Netapp

H610s Firmware by Netapp

H615c Firmware by Netapp

H700e Firmware by Netapp

H700s Firmware by Netapp

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Openshift Container Platform by Redhat

Openshift Container Platform by Redhat

Openshift Container Platform by Redhat

Virtualization by Redhat

Virtualization Host by Redhat

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable CAN subsystem

Restrict CAN socket access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query: