CVE-2020-15166 – CVE-2020-15166 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2020-15166?

CVE-2020-15166 has a CVSS score of 7.5 (HIGH). CVE-2020-15166 is a denial-of-service vulnerability in ZeroMQ where attackers can disrupt message delivery to legitimate clients by connecting raw TCP sockets to CURVE/ZAP-protected endpoints. Users with TCP transport public endpoints are affected, even when CURVE/ZAP authentication is enabled. This prevents server applications from receiving messages despite successful handshakes.

📋 TL;DR

CVE-2020-15166 is a denial-of-service vulnerability in ZeroMQ where attackers can disrupt message delivery to legitimate clients by connecting raw TCP sockets to CURVE/ZAP-protected endpoints. Users with TCP transport public endpoints are affected, even when CURVE/ZAP authentication is enabled. This prevents server applications from receiving messages despite successful handshakes.

💻 Affected Systems

Products:

ZeroMQ (libzmq)

Versions: All versions before 4.3.3

Operating Systems: All operating systems running vulnerable ZeroMQ versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with TCP transport endpoints configured with CURVE/ZAP authentication. UDP and other transports are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of message processing for legitimate clients, causing service unavailability and potential business impact for applications relying on ZeroMQ communication.

🟠

Likely Case

Intermittent or complete denial of service for ZeroMQ-based applications, leading to degraded performance or service outages.

🟢

If Mitigated

Minimal impact if systems are patched or workarounds are implemented; normal message flow continues uninterrupted.

🌐 Internet-Facing: HIGH - Public TCP endpoints are directly exploitable from the internet without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this, but requires network access to vulnerable endpoints.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Requires only TCP connection to vulnerable endpoint.

No public exploit code identified, but the vulnerability is straightforward to exploit given its nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.3.3

Vendor Advisory: https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m

Restart Required: Yes

Instructions:

1. Update ZeroMQ to version 4.3.3 or later. 2. For package managers: Use 'apt-get upgrade libzmq5' (Debian/Ubuntu), 'yum update zeromq' (RHEL/CentOS), or equivalent. 3. For source builds: Download from zeromq.org and compile. 4. Restart all ZeroMQ-dependent services.

🔧 Temporary Workarounds

Disable TCP endpoints

all

Temporarily disable TCP transport endpoints if not required, or switch to other transports like IPC or inproc.

Modify application configuration to remove TCP bind/connect endpoints

Network segmentation

linux

Restrict access to ZeroMQ TCP endpoints using firewall rules to trusted sources only.

iptables -A INPUT -p tcp --dport [ZMQ_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [ZMQ_PORT] -j DROP

🧯 If You Can't Patch

Implement strict network access controls to limit who can connect to ZeroMQ TCP endpoints.
Monitor for unusual connection patterns or failed message deliveries that might indicate exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check ZeroMQ version: 'zmq --version' or examine installed package version. If version is <4.3.3 and TCP endpoints with CURVE/ZAP are used, system is vulnerable.

Check Version:

zmq --version 2>&1 | grep -o '[0-9]\+\.[0-9]\+\.[0-9]\+' || dpkg -l | grep libzmq || rpm -q zeromq

Verify Fix Applied:

Confirm version is ≥4.3.3 and test message delivery between clients and server with CURVE/ZAP enabled TCP endpoints.

📡 Detection & Monitoring

Log Indicators:

Increased failed message deliveries
Unusual TCP connection patterns to ZeroMQ ports
Handshake successes followed by message processing failures

Network Indicators:

Multiple TCP connections to ZeroMQ ports from unexpected sources
Connection attempts without proper CURVE/ZAP authentication flow

SIEM Query:

source="*zmq*" AND (event="connection_failed" OR event="message_dropped") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2020-15166

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: September 11, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/zeromq/libzmq/pull/3913 Patch,Third Party Advisory
https://github.com/zeromq/libzmq/pull/3973 Patch,Third Party Advisory
https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/11/msg00017.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ5IMNQXDB52JFBXHFLK4AHVORFELNNG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFW2ZELCCPS4VLU4OSJOH5YL6KFKTFYW/
https://security.gentoo.org/glsa/202009-12 Third Party Advisory
https://github.com/zeromq/libzmq/pull/3913 Patch,Third Party Advisory
https://github.com/zeromq/libzmq/pull/3973 Patch,Third Party Advisory
https://github.com/zeromq/libzmq/security/advisories/GHSA-25wp-cf8g-938m Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/11/msg00017.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ5IMNQXDB52JFBXHFLK4AHVORFELNNG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YFW2ZELCCPS4VLU4OSJOH5YL6KFKTFYW/
https://security.gentoo.org/glsa/202009-12 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-15166, you might also want to check these: