CVE-2021-47245
📋 TL;DR
This CVE describes an out-of-bounds read vulnerability in the Linux kernel's netfilter synproxy module when parsing TCP options. Attackers could potentially cause kernel crashes or information disclosure by sending specially crafted TCP packets. Systems running vulnerable Linux kernel versions with netfilter synproxy enabled are affected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to denial of service, or potential information disclosure from kernel memory
Likely Case
Kernel crash causing system instability or denial of service
If Mitigated
Minimal impact if synproxy is not enabled or systems are properly segmented
🎯 Exploit Status
Exploitation requires sending specially crafted TCP packets to systems with synproxy enabled. No public exploit code identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions containing the fix commits: 576c1526b4d83c44ad7b673cb841f36cbc6cb6c4, 5fc177ab759418c9537433e63301096e733fb915, 674b5f0c6a4fc5d3abce877048290cea6091fcb1, 6defc77d48eff74075b80ad5925061b2fc010d98, 7d9a9a1a88a3da574e019b4de756bc73337b3b0b
Vendor Advisory: https://git.kernel.org/stable/c/576c1526b4d83c44ad7b673cb841f36cbc6cb6c4
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable synproxy module
linuxRemove or disable the netfilter synproxy module if not required
modprobe -r nf_synproxy_core
echo 'blacklist nf_synproxy_core' >> /etc/modprobe.d/blacklist.conf
Network filtering
allUse network firewalls to restrict TCP traffic to systems using synproxy
🧯 If You Can't Patch
- Disable synproxy functionality in netfilter configuration
- Implement network segmentation to isolate vulnerable systems
🔍 How to Verify
Check if Vulnerable:
Check if synproxy module is loaded: lsmod | grep synproxy. Check kernel version against affected ranges.Check Version:
uname -rVerify Fix Applied:
Verify kernel version is updated and synproxy module version matches patched kernel📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs
- System crash dumps
- Netfilter error messages
Network Indicators:
- Unusual TCP packets with malformed options sent to systems with synproxy
SIEM Query:
source="kernel" AND ("panic" OR "oops" OR "synproxy")🔗 References
- https://git.kernel.org/stable/c/576c1526b4d83c44ad7b673cb841f36cbc6cb6c4
- https://git.kernel.org/stable/c/5fc177ab759418c9537433e63301096e733fb915
- https://git.kernel.org/stable/c/674b5f0c6a4fc5d3abce877048290cea6091fcb1
- https://git.kernel.org/stable/c/6defc77d48eff74075b80ad5925061b2fc010d98
- https://git.kernel.org/stable/c/7d9a9a1a88a3da574e019b4de756bc73337b3b0b
- https://git.kernel.org/stable/c/9cdf299ba4e153b5e56187648420de22c6216f02
- https://git.kernel.org/stable/c/e1eb98cfeafdd85537e7e3cefe93ca9bfbcc3ea8
- https://git.kernel.org/stable/c/f648089337cb8ed40b2bb96e244f72b9d97dc96b
- https://git.kernel.org/stable/c/576c1526b4d83c44ad7b673cb841f36cbc6cb6c4
- https://git.kernel.org/stable/c/5fc177ab759418c9537433e63301096e733fb915
- https://git.kernel.org/stable/c/674b5f0c6a4fc5d3abce877048290cea6091fcb1
- https://git.kernel.org/stable/c/6defc77d48eff74075b80ad5925061b2fc010d98
- https://git.kernel.org/stable/c/7d9a9a1a88a3da574e019b4de756bc73337b3b0b
- https://git.kernel.org/stable/c/9cdf299ba4e153b5e56187648420de22c6216f02
- https://git.kernel.org/stable/c/e1eb98cfeafdd85537e7e3cefe93ca9bfbcc3ea8
- https://git.kernel.org/stable/c/f648089337cb8ed40b2bb96e244f72b9d97dc96b
