CVE-2021-43057 – A use-after-free vulnerability in the SELinux P... (How to Fix)

Q: What is the severity of CVE-2021-43057?

CVE-2021-43057 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in the SELinux PTRACE_TRACEME handler in Linux kernel versions before 5.14.8 allows local attackers to cause memory corruption and potentially escalate privileges. This affects systems running vulnerable Linux kernels with SELinux enabled. Attackers must have local access to exploit this vulnerability.

📋 TL;DR

A use-after-free vulnerability in the SELinux PTRACE_TRACEME handler in Linux kernel versions before 5.14.8 allows local attackers to cause memory corruption and potentially escalate privileges. This affects systems running vulnerable Linux kernels with SELinux enabled. Attackers must have local access to exploit this vulnerability.

💻 Affected Systems

Products:

Linux kernel

Versions: All versions before 5.14.8

Operating Systems: Linux distributions using vulnerable kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with SELinux enabled; many distributions enable SELinux by default.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to root, allowing complete system compromise and persistence.

🟠

Likely Case

Local privilege escalation to gain higher privileges than the attacker's current user account.

🟢

If Mitigated

No impact if SELinux is disabled or kernel is patched; minimal impact with proper access controls limiting local user accounts.

🌐 Internet-Facing: LOW - Requires local access, cannot be exploited remotely.

🏢 Internal Only: HIGH - Local attackers with shell access can exploit this to escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires local access and knowledge of kernel exploitation techniques; Project Zero published technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.14.8 and later

Vendor Advisory: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.14.8

Restart Required: Yes

Instructions:

1. Update kernel to version 5.14.8 or later using your distribution's package manager. 2. For Red Hat/CentOS: yum update kernel. 3. For Ubuntu/Debian: apt update && apt upgrade linux-image. 4. Reboot the system to load the new kernel.

🔧 Temporary Workarounds

Disable SELinux

linux

Temporarily disable SELinux to prevent exploitation (not recommended for production)

setenforce 0
echo 0 > /sys/fs/selinux/enforce

Restrict ptrace access

linux

Limit ptrace capabilities using kernel.yama.ptrace_scope

sysctl -w kernel.yama.ptrace_scope=2
echo 'kernel.yama.ptrace_scope=2' >> /etc/sysctl.conf

🧯 If You Can't Patch

Implement strict access controls to limit local user accounts and shell access
Monitor for privilege escalation attempts and unusual ptrace activity

🔍 How to Verify

Check if Vulnerable:

Check kernel version and SELinux status: uname -r && getenforce

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is 5.14.8 or later: uname -r

📡 Detection & Monitoring

Log Indicators:

Failed privilege escalation attempts
Unusual ptrace system calls
SELinux denial logs related to ptrace

Network Indicators:

None - local exploit only

SIEM Query:

process.name:ptrace AND event.action:denied OR process.name:su AND event.outcome:failure

📊 Metadata

CVE ID: CVE-2021-43057

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: October 28, 2021

Last Updated: November 21, 2024

🔗 References

https://bugs.chromium.org/p/project-zero/issues/detail?id=2229 Exploit,Patch,Third Party Advisory
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.14.8 Patch,Release Notes,Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a3727a8bac0a9e77c70820655fd8715523ba3db7 Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20211125-0001/ Third Party Advisory
https://bugs.chromium.org/p/project-zero/issues/detail?id=2229 Exploit,Patch,Third Party Advisory
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.14.8 Patch,Release Notes,Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a3727a8bac0a9e77c70820655fd8715523ba3db7 Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20211125-0001/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43057, you might also want to check these: