CVE-2021-37600 - OpenCVE

An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Local

Access Complexity High

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:L/AC:H/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Netapp	Ontap Select Deploy Administration Utility
Kernel	Util-linux

Configuration 1 [-]

cpe:2.3:a:kernel:util-linux:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/karelzak/util-linux/commit/1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c	Patch Third Party Advisory
https://github.com/karelzak/util-linux/issues/1395	Exploit Issue Tracking Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html
https://security.gentoo.org/glsa/202401-08
https://security.netapp.com/advisory/ntap-20210902-0002/	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-07-28T00:00:00

Updated: 2024-04-07T12:06:01.027339

Reserved: 2021-07-28T00:00:00

Link: CVE-2021-37600

JSON object: View

NVD Information

Status : Modified

Published: 2021-07-30T14:15:18.737

Modified: 2024-05-17T01:59:18.363

Link: CVE-2021-37600

JSON object: View

Redhat Information

No data.

CWE

CWE-190

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kernel:util-linux:*:*:*:*:*:*:*:*", "matchCriteriaId": "332D3DCC-3B7E-466E-844E-F2014DC27B45", "versionEndIncluding": "2.37.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", "matchCriteriaId": "E7CF3019-975D-40BB-A8A4-894E62BD3797", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file. NOTE: this is unexploitable in GNU C Library environments, and possibly in all realistic environments."}, {"lang": "es", "value": "** EN DISPUTA ** Un desbordamiento de enteros en util-linux hasta la versi\u00f3n 2.37.1 puede potencialmente causar un desbordamiento de b\u00fafer si un atacante fuera capaz de utilizar los recursos del sistema de una manera que lleve a un n\u00famero grande en el archivo /proc/sysvipc/sem. NOTA: esto es inexplotable en entornos de GNU C Library, y posiblemente en todos los entornos realistas"}], "id": "CVE-2021-37600", "lastModified": "2024-05-17T01:59:18.363", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 1.2, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:H/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 1.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-07-30T14:15:18.737", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/karelzak/util-linux/commit/1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/karelzak/util-linux/issues/1395"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00005.html"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202401-08"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210902-0002/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "nvd@nist.gov", "type": "Primary"}]}