CVE-2021-3609 — HIGH (7.0) — White Hats Nepal

Q: How severe is CVE-2021-3609?

CVE-2021-3609 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-3609?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Redhat 3Scale Api Management, Redhat Build Of Quarkus, Redhat Codeready Linux Builder Eus, Redhat Codeready Linux Builder For Power Little Endian Eus.

Vulnerability Description

.A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This race condition in net/can/bcm.c in the Linux kernel allows for local privilege escalation to root.

CVSS Score

7.0

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Linux	Linux Kernel	>= 2.6.25, < 4.4.276
Redhat	3Scale Api Management	2.0
Redhat	Build Of Quarkus	1.0
Redhat	Codeready Linux Builder Eus	8.1
Redhat	Codeready Linux Builder For Power Little Endian Eus	8.1
Redhat	Openshift Container Platform	4.6
Redhat	Virtualization	4.0
Redhat	Virtualization Host	4.0
Redhat	Enterprise Linux Aus	8.2
Redhat	Enterprise Linux Eus	8.1
Redhat	Enterprise Linux For Ibm Z Systems Eus	8.4
Redhat	Enterprise Linux For Ibm Z Systems Eus S390X	8.1
Redhat	Enterprise Linux For Power Little Endian Eus	8.1
Redhat	Enterprise Linux For Real Time	8.0
Redhat	Enterprise Linux For Real Time For Nfv	8.0
Redhat	Enterprise Linux For Real Time For Nfv Tus	8.0
Redhat	Enterprise Linux For Real Time Tus	8.0
Redhat	Enterprise Linux Server Aus	8.2
Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	8.1
Redhat	Enterprise Linux Server Tus	8.2

Related Weaknesses (CWE)

CWE-362

References

https://bugzilla.redhat.com/show_bug.cgi?id=1971651Issue TrackingThird Party Advisory
https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-3609/cve-2021-3ExploitTechnical DescriptionThird Party Advisory
https://github.com/torvalds/linux/commit/d5f9023fa61ee8b94f37a93f08e94b136cf1e46PatchThird Party Advisory
https://security.netapp.com/advisory/ntap-20220419-0004/Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/06/19/1Mailing ListThird Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1971651Issue TrackingThird Party Advisory
https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-3609/cve-2021-3ExploitTechnical DescriptionThird Party Advisory
https://github.com/torvalds/linux/commit/d5f9023fa61ee8b94f37a93f08e94b136cf1e46PatchThird Party Advisory
https://security.netapp.com/advisory/ntap-20220419-0004/Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/06/19/1Mailing ListThird Party Advisory

FAQ

What is CVE-2021-3609?

CVE-2021-3609 is a vulnerability with a CVSS score of 7.0 (HIGH). .A flaw was found in the CAN BCM networking protocol in the Linux kernel, where a local attacker can abuse a flaw in the CAN subsystem to corrupt memory, crash the system or escalate privileges. This ...

How severe is CVE-2021-3609?

CVE-2021-3609 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-3609?

Check the references section above for vendor advisories and patch information. Affected products include: Linux Linux Kernel, Redhat 3Scale Api Management, Redhat Build Of Quarkus, Redhat Codeready Linux Builder Eus, Redhat Codeready Linux Builder For Power Little Endian Eus.