CVE-2021-3571 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Project Linuxptp

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125 — Out-of-bounds Read7 documents7 sources

Severity

7.1HIGHNVD

EPSS

0.7%

top 27.48%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linuxptp Project Linuxptp Fedoraproject Fedora Redhat Enterprise Linux

Timeline

PublishedJul 9

Latest updateMay 24

Description

A flaw was found in the ptp4l program of the linuxptp package. When ptp4l is operating on a little-endian architecture as a PTP transparent clock, a remote attacker could send a crafted one-step sync message to cause an information leak or crash. The highest threat from this vulnerability is to data confidentiality and system availability. This flaw affects linuxptp versions before 3.1.1 and before 2.0.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:HExploitability: 2.8 | Impact: 4.2

Affected Packages3 packages

▶NVDlinuxptp_project/linuxptp3.0 — 3.1.1+1

▶Debianlinuxptp_project/linuxptp< 3.1-2.1+3

▶CVEListV5linuxptp_project/linuxptplinuxptp 3.1.1, linuxptp 2.0.1

Also affects: Fedora 33, 34, Enterprise Linux 8.0

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-3v9q-m45q-4cr7: A flaw was found in the ptp4l program of the linuxptp package↗2022-05-24

▶

CVEList

CVE-2021-3571: A flaw was found in the ptp4l program of the linuxptp package↗2021-07-09

▶

OSV

CVE-2021-3571: A flaw was found in the ptp4l program of the linuxptp package↗2021-07-09

▶

📋Vendor Advisories

Microsoft

▶

Red Hat

linuxptp: wrong length of one-step follow-up in transparent clock↗2021-07-05

▶

Debian

CVE-2021-3571: linuxptp - A flaw was found in the ptp4l program of the linuxptp package. When ptp4l is ope...↗2021

▶