Login Sign Up

CVE-2021-42972

8.8 HIGH
Denial of Service Buffer Overflow

📋 TL;DR

This vulnerability in NoMachine Server allows local attackers to execute arbitrary code with kernel privileges or cause denial of service via memory corruption. It affects NoMachine Server versions above 4.0.346 and below 7.7.4. Attackers need local access to exploit the buffer overflow in the IOCTL handler.

💻 Affected Systems

Products:
  • NoMachine Server
Versions: Above 4.0.346 and below 7.7.4
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all NoMachine Server installations within vulnerable version range regardless of configuration.

📦 What is this software?

Server by Nomachine

View all CVEs affecting Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with kernel-level code execution leading to persistent backdoor installation, data theft, and full control of affected systems.

🟠

Likely Case

Local privilege escalation from limited user to SYSTEM/root access, enabling lateral movement and persistence within the environment.

🟢

If Mitigated

Denial of service causing system crashes and service disruption without code execution if exploit fails or protections are in place.

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly reachable over network.
🏢 Internal Only: HIGH - Local attackers can escalate privileges to compromise entire systems from within the network.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access but buffer overflow in kernel driver makes reliable exploitation feasible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.7.4 and later

Vendor Advisory: https://www.nomachine.com/

Restart Required: Yes

Instructions:

1. Download NoMachine Server version 7.7.4 or later from official website. 2. Stop NoMachine service. 3. Install updated version. 4. Restart system to ensure kernel driver updates take effect.

🔧 Temporary Workarounds

Restrict local access

all

Limit user accounts with local access to NoMachine servers to trusted administrators only.

Disable unnecessary services

linux

Disable NoMachine Server on systems where remote access is not required.

sudo systemctl stop nomachine
sudo systemctl disable nomachine

🧯 If You Can't Patch

  • Isolate NoMachine servers in separate network segments with strict access controls.
  • Implement application allowlisting to prevent execution of unauthorized binaries even with elevated privileges.

🔍 How to Verify

Check if Vulnerable:

Check NoMachine Server version via GUI or configuration files. On Linux: check /usr/NX/etc/server.cfg or run 'nxserver --version'.

Check Version:

nxserver --version

Verify Fix Applied:

Confirm version is 7.7.4 or higher and verify kernel driver version matches.

📡 Detection & Monitoring

Log Indicators:

  • Kernel crash dumps
  • System instability after local user access
  • Unexpected privilege escalation events

Network Indicators:

  • Unusual outbound connections from NoMachine servers post-local access

SIEM Query:

EventID=41 OR (source="kernel" AND "crash") OR (process="nxserver" AND privilege_change)

📊 Metadata

CVE ID: CVE-2021-42972
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-120
Published: December 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42972, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)