CVE-2020-29363
📋 TL;DR
This vulnerability is a heap-based buffer overflow in p11-kit's RPC protocol that allows remote attackers to execute arbitrary code or cause denial of service. It affects systems using p11-kit for PKCS#11 cryptographic operations, particularly those with p11-kit server/remote functionality enabled. The vulnerability can be exploited when maliciously crafted serialized byte arrays are processed during attribute deserialization.
💻 Affected Systems
- p11-kit
📦 What is this software?
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
P11 Kit by P11 Kit Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the p11-kit process, potentially leading to full system compromise, credential theft, or installation of persistent backdoors.
Likely Case
Denial of service through process crashes, potentially disrupting cryptographic operations and dependent services like TLS/SSL, SSH, or authentication systems.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are applied, with potential for service disruption but not full compromise.
🎯 Exploit Status
Exploitation requires sending specially crafted RPC messages to vulnerable p11-kit instances. Public advisories and patches have been available since 2020, reducing active exploitation risk but still present in unpatched systems.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.23.22 or later
Vendor Advisory: https://github.com/p11-glue/p11-kit/security/advisories/GHSA-5j67-fw89-fp6x
Restart Required: Yes
Instructions:
1. Update p11-kit to version 0.23.22 or later using your distribution's package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade p11-kit. 3. For RHEL/CentOS: sudo yum update p11-kit. 4. Restart services using p11-kit or reboot the system.
🔧 Temporary Workarounds
Disable p11-kit remote/server functionality
linuxIf remote p11-kit functionality is not required, disable it to prevent network-based exploitation.
systemctl stop p11-kit-remote
systemctl disable p11-kit-remote
Network isolation
linuxRestrict network access to p11-kit services using firewall rules.
iptables -A INPUT -p tcp --dport 12345 -j DROP
Replace 12345 with actual p11-kit port
🧯 If You Can't Patch
- Implement strict network segmentation to isolate systems running vulnerable p11-kit versions
- Apply principle of least privilege to p11-kit processes and monitor for abnormal behavior
🔍 How to Verify
Check if Vulnerable:
Check p11-kit version: p11-kit --version. If version is between 0.23.6 and 0.23.21 inclusive, system is vulnerable.Check Version:
p11-kit --versionVerify Fix Applied:
After update, verify version is 0.23.22 or later: p11-kit --version | grep -q '0.23.2[2-9]\|0.23.[3-9]\|0.2[4-9]\|[1-9]' && echo 'Patched' || echo 'Still vulnerable'📡 Detection & Monitoring
Log Indicators:
- Segmentation faults or crashes in p11-kit processes
- Abnormal memory usage patterns in p11-kit
- Unexpected network connections to p11-kit ports
Network Indicators:
- Unusual RPC traffic to p11-kit services
- Malformed serialized data in network packets
SIEM Query:
process.name:p11-kit AND (event.action:segfault OR event.action:crash) OR destination.port:[p11-kit_port] AND network.protocol:rpc🔗 References
- https://github.com/p11-glue/p11-kit/releases
- https://github.com/p11-glue/p11-kit/security/advisories/GHSA-5j67-fw89-fp6x
- https://www.debian.org/security/2021/dsa-4822
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/p11-glue/p11-kit/releases
- https://github.com/p11-glue/p11-kit/security/advisories/GHSA-5j67-fw89-fp6x
- https://www.debian.org/security/2021/dsa-4822
- https://www.oracle.com/security-alerts/cpuapr2022.html
