CVE-2021-34866

Published: Jan 25, 2022Modified: Nov 21, 2024

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel 5.14-rc3. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs, which can result in a type confusion condition. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel. Was ZDI-CAN-14689.

Affected (10)

Products: Linux: Linux Kernel · Netapp: H410c Firmware, H300s Firmware, H500s Firmware, H700s Firmware, H300e Firmware, H500e Firmware, H700e Firmware, H410s Firmware

1 product

8 products

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Linux Linux Kernel	From 5.11 to 5.13.14
Linux Linux Kernel	From 5.8 to 5.10.62

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H410c Firmware	All versions

Running on/with	Platform Versions
Netapp H410c	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H300s Firmware	All versions

Running on/with	Platform Versions
Netapp H300s	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H500s Firmware	All versions

Running on/with	Platform Versions
Netapp H500s	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H700s Firmware	All versions

Running on/with	Platform Versions
Netapp H700s	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H300e Firmware	All versions

Running on/with	Platform Versions
Netapp H300e	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H500e Firmware	All versions

Running on/with	Platform Versions
Netapp H500e	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H700e Firmware	All versions

Running on/with	Platform Versions
Netapp H700e	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Netapp H410s Firmware	All versions

Running on/with	Platform Versions
Netapp H410s	All versions

Related CWEs

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

References (4)

https://security.netapp.com/advisory/ntap-20220217-0008/

Source: zdi-disclosures@trendmicro.com

Third Party Advisory

https://www.zerodayinitiative.com/advisories/ZDI-21-1148/

Source: zdi-disclosures@trendmicro.com

Third Party AdvisoryVDB Entry

https://security.netapp.com/advisory/ntap-20220217-0008/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.zerodayinitiative.com/advisories/ZDI-21-1148/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

Timeline

No history available yet.