CVE-2021-47191
📋 TL;DR
This is a stack-based buffer overflow vulnerability in the Linux kernel's scsi_debug driver. It allows attackers with local access to cause kernel memory corruption, potentially leading to system crashes or privilege escalation. Systems using the scsi_debug module are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to denial of service, or potential privilege escalation to root if combined with other vulnerabilities.
Likely Case
System crash or kernel panic causing denial of service.
If Mitigated
Limited impact if scsi_debug module is not loaded or access is restricted.
🎯 Exploit Status
Syzkaller fuzzer discovered and can reproduce the issue. Exploitation requires local access and ability to interact with scsi_debug device.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple stable kernel versions with fixes: 3e20cb072679, 4e3ace0051e7, 5b8bed6464ad
Vendor Advisory: https://git.kernel.org/stable/c/3e20cb072679bdb47747ccc8bee3233a4cf0765a
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. Reboot system. 3. Verify scsi_debug module is not loaded unless needed.
🔧 Temporary Workarounds
Disable scsi_debug module
linuxPrevent loading of vulnerable scsi_debug module
echo 'blacklist scsi_debug' >> /etc/modprobe.d/blacklist.conf
rmmod scsi_debug
Restrict device access
linuxLimit access to scsi_debug device files
chmod 600 /dev/sg*
setfacl -m u:root:rw- /dev/sg*
🧯 If You Can't Patch
- Ensure scsi_debug module is not loaded in production systems
- Restrict local user access and implement least privilege principles
🔍 How to Verify
Check if Vulnerable:
Check if scsi_debug module is loaded: lsmod | grep scsi_debugCheck Version:
uname -rVerify Fix Applied:
Check kernel version against patched versions and verify scsi_debug not loaded📡 Detection & Monitoring
Log Indicators:
- KASAN reports of stack-out-of-bounds in sg_copy_buffer
- Kernel panic messages related to scsi_debug or SCSI commands
Network Indicators:
- None - local exploitation only
SIEM Query:
kernel: *KASAN* AND *stack-out-of-bounds* AND *sg_copy_buffer*🔗 References
- https://git.kernel.org/stable/c/3e20cb072679bdb47747ccc8bee3233a4cf0765a
- https://git.kernel.org/stable/c/4e3ace0051e7e504b55d239daab8789dd89b863c
- https://git.kernel.org/stable/c/5b8bed6464ad6653586e30df046185fd816ad999
- https://git.kernel.org/stable/c/3e20cb072679bdb47747ccc8bee3233a4cf0765a
- https://git.kernel.org/stable/c/4e3ace0051e7e504b55d239daab8789dd89b863c
- https://git.kernel.org/stable/c/5b8bed6464ad6653586e30df046185fd816ad999
