CVE-2021-46828 – This vulnerability in libtirpc allows remote at... (How to Fix)

Q: What is the severity of CVE-2021-46828?

CVE-2021-46828 has a CVSS score of 7.5 (HIGH). This vulnerability in libtirpc allows remote attackers to exhaust file descriptors by exploiting mishandled idle TCP connections, potentially causing denial of service through infinite loops in svc_run. It affects any system using vulnerable versions of libtirpc for RPC services. The impact is primarily on availability rather than confidentiality or integrity.

📋 TL;DR

This vulnerability in libtirpc allows remote attackers to exhaust file descriptors by exploiting mishandled idle TCP connections, potentially causing denial of service through infinite loops in svc_run. It affects any system using vulnerable versions of libtirpc for RPC services. The impact is primarily on availability rather than confidentiality or integrity.

💻 Affected Systems

Products:

libtirpc
systems using libtirpc for RPC services

Versions: All versions before 1.3.3rc1

Operating Systems: Linux distributions including Debian, Gentoo, and others using libtirpc

Default Config Vulnerable: ⚠️ Yes

Notes: Systems must be using libtirpc with TCP connections enabled. Many RPC services use libtirpc by default on affected distributions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for RPC-dependent services, potentially affecting authentication (NIS), file sharing (NFS), or other critical infrastructure services that rely on libtirpc.

🟠

Likely Case

Service degradation or crashes of applications using libtirpc, leading to intermittent availability issues for RPC-based services.

🟢

If Mitigated

Limited impact with proper network segmentation and connection rate limiting, though vulnerable systems remain at risk of DoS.

🌐 Internet-Facing: MEDIUM - While exploitation requires network access to RPC services, many systems don't expose these services externally by default.

🏢 Internal Only: HIGH - Internal systems using RPC services (like NFS, NIS) are vulnerable to DoS attacks from compromised internal hosts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires establishing TCP connections to vulnerable RPC services but doesn't require authentication. The attack is straightforward - establishing and maintaining idle connections to exhaust file descriptors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.3rc1 and later

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2022/08/msg00004.html

Restart Required: Yes

Instructions:

1. Update libtirpc package to version 1.3.3rc1 or later. 2. For Debian/Ubuntu: apt update && apt upgrade libtirpc. 3. For RHEL/CentOS: yum update libtirpc. 4. Restart affected services using libtirpc.

🔧 Temporary Workarounds

Connection rate limiting

linux

Limit TCP connections to RPC services using firewall rules or connection rate limiting

iptables -A INPUT -p tcp --dport [RPC_PORT] -m connlimit --connlimit-above 50 -j REJECT

File descriptor limits

linux

Increase file descriptor limits for processes using libtirpc to delay exhaustion

ulimit -n 65535
Edit /etc/security/limits.conf to increase nofile limits

🧯 If You Can't Patch

Implement strict network segmentation to isolate RPC services from untrusted networks
Monitor for abnormal connection patterns to RPC services and implement automated blocking

🔍 How to Verify

Check if Vulnerable:

Check libtirpc version: dpkg -l | grep libtirpc or rpm -qa | grep libtirpc

Check Version:

dpkg -l libtirpc* 2>/dev/null || rpm -q libtirpc 2>/dev/null || pkg info libtirpc 2>/dev/null

Verify Fix Applied:

Verify version is 1.3.3rc1 or later: libtirpc --version or check package version

📡 Detection & Monitoring

Log Indicators:

High number of TCP connections to RPC ports
Process crashes or restarts of RPC services
svc_run process consuming high CPU without progress

Network Indicators:

Unusual number of idle TCP connections to RPC ports (typically 111, 2049 for NFS)
Connection attempts from single sources maintaining many open connections

SIEM Query:

source_port=111 OR dest_port=111 OR source_port=2049 OR dest_port=2049 | stats count by src_ip | where count > 50

📊 Metadata

CVE ID: CVE-2021-46828

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-755

Published: July 20, 2022

Last Updated: May 5, 2025

🔗 References

http://git.linux-nfs.org/?p=steved/libtirpc.git%3Ba=commit%3Bh=86529758570cef4c73fb9b9c4104fdc510f701ed
https://lists.debian.org/debian-lts-announce/2022/08/msg00004.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202210-33 Third Party Advisory
https://security.netapp.com/advisory/ntap-20221007-0004/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5200 Third Party Advisory
http://git.linux-nfs.org/?p=steved/libtirpc.git%3Ba=commit%3Bh=86529758570cef4c73fb9b9c4104fdc510f701ed
https://lists.debian.org/debian-lts-announce/2022/08/msg00004.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202210-33 Third Party Advisory
https://security.netapp.com/advisory/ntap-20221007-0004/ Third Party Advisory
https://www.debian.org/security/2022/dsa-5200 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46828, you might also want to check these: