CVE-2021-27363

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 5.11.3

Description: An issue in the Linux kernel allows a kernel pointer leak, which can be used to determine the address of the iscsi transport structure. When an iSCSI transport is registered with the iSCSI subsystem, the transport's handle is available to unprivileged users via the sysfs file system, at /sys/class/iscsi transport/$TRANSPORT NAME/handle. The show transport handle function in drivers/scsi/scsi transport iscsi.c leaks the handle, which is actually a pointer to an iscsi transport struct in the kernel module's global variables. This can allow an attacker to disclose protected information or cause a denial of service.

Recommendations: For Linux kernel versions prior to 5.11.3, consider disabling the show transport handle function as a temporary workaround until a patch is available. Restrict access to the /sys/class/iscsi transport/$TRANSPORT NAME/handle sysfs file to minimize the risk of exploitation. Avoid using the handle variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.