Login Sign Up

CVE-2021-3773

9.8 CRITICAL

📋 TL;DR

A netfilter flaw allows network-connected attackers to infer OpenVPN connection endpoint information by analyzing network traffic patterns. This affects Linux systems running OpenVPN with netfilter enabled. Attackers can use this information to target VPN endpoints with traditional network attacks.

💻 Affected Systems

Products:
  • Linux kernel with netfilter
  • OpenVPN
Versions: Linux kernel versions before specific patches (varies by distribution), OpenVPN versions using affected netfilter functionality
Operating Systems: Linux distributions including RHEL, CentOS, Ubuntu, Debian
Default Config Vulnerable: ⚠️ Yes
Notes: Requires netfilter enabled and OpenVPN traffic passing through affected netfilter modules.

📦 What is this software?

Communications Cloud Native Core Binding Support Function by Oracle

View all CVEs affecting Communications Cloud Native Core Binding Support Function →

Communications Cloud Native Core Network Exposure Function by Oracle

View all CVEs affecting Communications Cloud Native Core Network Exposure Function →

Communications Cloud Native Core Policy by Oracle

View all CVEs affecting Communications Cloud Native Core Policy →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers identify and directly target VPN endpoints with DDoS, port scanning, or other network attacks, potentially compromising VPN infrastructure and exposing internal networks.

🟠

Likely Case

Attackers map VPN infrastructure and perform reconnaissance to plan targeted attacks against exposed endpoints.

🟢

If Mitigated

Limited information leakage with minimal impact if VPN endpoints are already hardened and monitored.

🌐 Internet-Facing: HIGH - VPN endpoints are typically internet-facing, making them directly accessible to attackers.
🏢 Internal Only: LOW - Requires network access to traffic between VPN client and server.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires network access to monitor traffic patterns but no authentication. Public research and presentations demonstrate the technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Varies by Linux distribution - check vendor advisories for specific kernel versions

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2004949

Restart Required: Yes

Instructions:

1. Check your Linux distribution's security advisories. 2. Update kernel packages to patched versions. 3. Reboot system to load new kernel. 4. Verify OpenVPN functionality post-update.

🔧 Temporary Workarounds

Disable affected netfilter modules

linux

Remove or disable netfilter modules that leak timing information

modprobe -r nf_conntrack_ftp
modprobe -r nf_nat_ftp

Network segmentation

all

Isolate VPN traffic from potential attackers

🧯 If You Can't Patch

  • Implement network monitoring and intrusion detection for unusual traffic patterns to VPN endpoints
  • Harden VPN endpoints with additional firewall rules and rate limiting

🔍 How to Verify

Check if Vulnerable:

Check kernel version against vendor advisories and verify netfilter modules are loaded: lsmod | grep nf_conntrack_ftp

Check Version:

uname -r

Verify Fix Applied:

Verify updated kernel version and test that affected netfilter modules are not loaded or patched

📡 Detection & Monitoring

Log Indicators:

  • Unusual connection patterns to VPN endpoints
  • Increased scanning activity against VPN infrastructure

Network Indicators:

  • Abnormal traffic analysis patterns targeting VPN ports
  • Reconnaissance activity preceding attacks on VPN endpoints

SIEM Query:

source_ip OUTSIDE internal_net AND dest_port IN (1194, 443) AND protocol=tcp AND bytes_transferred < threshold GROUP BY hour

📊 Metadata

CVE ID: CVE-2021-3773
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-200
Published: February 16, 2022
Last Updated: March 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3773, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)