CVE-2021-28375 in Linux
Summary
by MITRE • 03/15/2021
An issue was discovered in the Linux kernel through 5.11.6. fastrpc_internal_invoke in drivers/misc/fastrpc.c does not prevent user applications from sending kernel RPC messages, aka CID-20c40794eb85. This is a related issue to CVE-2019-2308.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/01/2021
The vulnerability identified as CVE-2021-28375 represents a critical security flaw within the Linux kernel version 5.11.6 and earlier, specifically affecting the fastrpc subsystem. This issue resides in the fastrpc_internal_invoke function located within the drivers/misc/fastrpc.c file, creating a pathway for unauthorized kernel-level communication that bypasses normal security boundaries. The flaw allows user applications to craft and send kernel RPC messages directly, effectively enabling privilege escalation and arbitrary code execution within kernel space.
This vulnerability operates through a fundamental breakdown in kernel security architecture where the fastrpc subsystem fails to properly validate user-supplied RPC message parameters and execution contexts. The implementation lacks proper access control mechanisms that should prevent unprivileged user processes from initiating kernel-level operations. The flaw is particularly concerning because it directly enables the execution of kernel-mode code from user-space applications, creating a direct bridge between user and kernel execution environments that should remain strictly separated. This represents a classic case of insufficient input validation and privilege checking, aligning with CWE-284 which addresses improper access control and CWE-787 which covers out-of-bounds write vulnerabilities.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass complete system compromise. Attackers can leverage this flaw to execute arbitrary kernel code, potentially leading to full system takeover, data exfiltration, or persistent backdoor establishment. The vulnerability is particularly dangerous in environments where user applications have elevated privileges or where the system runs in a trusted environment that should prevent such unauthorized kernel access. The issue's relationship to CVE-2019-2308 demonstrates a pattern of security flaws within the same subsystem, suggesting deeper architectural weaknesses in the fastrpc implementation that require comprehensive review and remediation.
Mitigation strategies for CVE-2021-28375 should focus on immediate kernel updates to versions 5.11.7 and later where the vulnerability has been patched. System administrators should also implement strict access controls and monitoring for RPC-related system calls, particularly those involving the fastrpc subsystem. The patch addresses the core issue by implementing proper validation checks within the fastrpc_internal_invoke function to ensure that only authorized kernel components can initiate RPC messages. Additionally, organizations should conduct thorough security assessments of their kernel configurations and implement runtime monitoring to detect suspicious RPC activity that might indicate exploitation attempts. This vulnerability aligns with ATT&CK technique T1068 which covers local privilege escalation and T1548 which addresses abuse of privileges, making it a significant concern for enterprise security posture and compliance requirements.