cbcvebase.
CVE-2021-43267
published 2021-11-02

CVE-2021-43267: An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
57.85%
99.0th percentile
An issue was discovered in net/tipc/crypto.c in the Linux kernel before 5.14.16. The Transparent Inter-Process Communication (TIPC) functionality allows remote attackers to exploit insufficient validation of user-supplied sizes for the MSG_CRYPTO message type.

Affected

12 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 5.14.16-1 (bookworm)linux 5.14.16-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
linuxlinux_kernel>= 0 < 5.10.84-15.10.84-1
linuxlinux_kernel>= 0 < 5.14.16-15.14.16-1
linuxlinux_kernel>= 0 < 5.14.16-15.14.16-1
linuxlinux_kernel>= 0 < 5.14.16-15.14.16-1
linuxlinux_kernel>= 5.10 < 5.10.775.10.77
linuxlinux_kernel>= 5.11 < 5.14.165.14.16
msrccbl2_kernel_5.10.78.1-1_on_cbl_mariner_2.0
msrccm1_kernel_5.10.78.1-1_on_cbl_mariner_1.0
paloaltopan-os

Detection & IOCsextracted from sources · hover to see the quote

port6118
pathnet/tipc/crypto.c
  • Detect MSG_CRYPTO (message type 14) TIPC packets on UDP port 6118; unexpected MSG_CRYPTO messages from untrusted peers should be treated as suspicious and may indicate exploitation attempts.
  • Look for TIPC MSG_CRYPTO packets where the keylen field in the message body is significantly larger than the message payload size (size field from header), indicating a heap overflow attempt — attacker sets a small body size for allocation but a large keylen to overflow.
  • Detect crafted TIPC packets where the Message Size field in the header is set smaller than the actual packet length (skb->len), which is a prerequisite for the exploit to control overflow data.
  • Monitor for unexpected loading of the 'tipc' kernel module on systems where it is not required; the module must be explicitly loaded and is not auto-loaded, so its presence on unexpected hosts is a strong signal.
  • Use the Red Hat-provided SystemTap mitigation script to detect and neutralize MSG_CRYPTO messages by probing tipc_data_input and checking msg_user(hdr) == MSG_CRYPTO (value 14), which can also serve as a detection point.
  • Vulnerable kernel versions are between 5.10-rc1 and 5.15 (specifically before 5.14.16); inventory Linux hosts running these kernel versions with the tipc module loaded as high-priority targets.
  • ·The TIPC module must be explicitly loaded by an administrator; it is not auto-loaded, so the attack surface only exists on systems where TIPC has been deliberately enabled.
  • ·Remote exploitation is only possible when TIPC is configured over UDP (port 6118); when configured over raw Ethernet, remote exploitation requires the ability to send raw Ethernet frames, limiting the remote attack surface.
  • ·Red Hat Enterprise Linux 8 is only affected starting with kernel-4.18.0-305.el8 (shipped with RHEL 8.4 GA); earlier RHEL 8 kernels did not include the vulnerable MSG_CRYPTO functionality.
  • ·The SystemTap-based mitigation that blocks MSG_CRYPTO messages will DISABLE TIPC protocol-level encryption; only apply it on systems that use alternative secure communication methods (e.g., IPSec/MACsec, physical separation).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.