CVE-2021-38201
📋 TL;DR
This vulnerability in the Linux kernel's NFS client implementation allows remote attackers to cause a denial of service through slab-out-of-bounds memory access. Attackers can trigger this by sending many NFS 4.2 READ_PLUS operations to vulnerable systems. Any Linux system using NFS 4.2 with kernel versions before 5.13.4 is potentially affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Solidfire by Netapp
⚠️ Risk & Real-World Impact
Worst Case
Complete system crash or kernel panic leading to sustained denial of service, potentially requiring physical intervention to reboot the system.
Likely Case
System instability, kernel crashes, or service disruption affecting NFS operations and potentially other system functions.
If Mitigated
Limited impact with proper network segmentation and access controls preventing unauthorized NFS access.
🎯 Exploit Status
Exploitation requires ability to send NFS 4.2 READ_PLUS operations to vulnerable system, which typically requires network access to NFS service.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Linux kernel 5.13.4 and later
Vendor Advisory: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.13.4
Restart Required: Yes
Instructions:
1. Update kernel to version 5.13.4 or later. 2. For distributions with backported patches, apply security updates. 3. Reboot system to load new kernel.
🔧 Temporary Workarounds
Disable NFS 4.2
linuxConfigure NFS to use older protocol versions (NFS 3 or 4.0/4.1) which are not affected by this vulnerability
echo "options nfs nfs4_disable_idmapping=1" > /etc/modprobe.d/nfs.conf
systemctl restart nfs-server
Restrict NFS Access
linuxUse firewall rules to limit NFS access to trusted hosts only
iptables -A INPUT -p tcp --dport 2049 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 2049 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate NFS traffic to trusted networks only
- Monitor NFS logs for unusual READ_PLUS operation patterns and implement rate limiting
🔍 How to Verify
Check if Vulnerable:
Check kernel version with 'uname -r' and verify if it's below 5.13.4. Also check if NFS 4.2 is enabled with 'cat /proc/fs/nfsd/versions'Check Version:
uname -rVerify Fix Applied:
Verify kernel version is 5.13.4 or higher with 'uname -r'. Check that system remains stable during NFS operations.📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- OOM killer messages
- NFS server logs showing excessive READ_PLUS operations
Network Indicators:
- High volume of NFS 4.2 READ_PLUS operations from single source
- Unusual NFS traffic patterns
SIEM Query:
source="kernel" AND ("panic" OR "Oops" OR "slab-out-of-bounds") OR source="nfs" AND "READ_PLUS" count_threshold=1000🔗 References
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.13.4
- https://github.com/torvalds/linux/commit/6d1c0f3d28f98ea2736128ed3e46821496dc3a8c
- https://security.netapp.com/advisory/ntap-20210902-0010/
- https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.13.4
- https://github.com/torvalds/linux/commit/6d1c0f3d28f98ea2736128ed3e46821496dc3a8c
- https://security.netapp.com/advisory/ntap-20210902-0010/
