CVE-2021-20235 – A buffer overflow vulnerability in ZeroMQ versi... (How to Fix)

Q: What is the severity of CVE-2021-20235?

CVE-2021-20235 has a CVSS score of 8.1 (HIGH). A buffer overflow vulnerability in ZeroMQ versions before 4.3.3 allows remote attackers to write arbitrary data when CURVE/ZAP authentication is disabled. This can lead to denial of service, data corruption, or potential remote code execution. Any system running vulnerable ZeroMQ servers with authentication disabled is affected.

📋 TL;DR

A buffer overflow vulnerability in ZeroMQ versions before 4.3.3 allows remote attackers to write arbitrary data when CURVE/ZAP authentication is disabled. This can lead to denial of service, data corruption, or potential remote code execution. Any system running vulnerable ZeroMQ servers with authentication disabled is affected.

💻 Affected Systems

Products:

ZeroMQ (libzmq)

Versions: All versions before 4.3.3

Operating Systems: All platforms running ZeroMQ

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when CURVE/ZAP authentication is disabled. Default configurations with authentication enabled are protected.

📦 What is this software?

Libzmq by Zeromq

View all CVEs affecting Libzmq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Application crash causing denial of service and potential data corruption in affected ZeroMQ services.

🟢

If Mitigated

No impact if CURVE/ZAP authentication is enabled or if systems are properly patched.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation possible when authentication disabled.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers, but attack surface reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted requests to vulnerable ZeroMQ servers with authentication disabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.3.3 and later

Vendor Advisory: https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6

Restart Required: Yes

Instructions:

1. Update libzmq to version 4.3.3 or later using your package manager. 2. For source installations: download latest release from github.com/zeromq/libzmq, compile and install. 3. Restart all ZeroMQ services.

🔧 Temporary Workarounds

Enable CURVE/ZAP Authentication

all

Enable ZeroMQ's built-in authentication mechanisms to prevent exploitation

Configure ZeroMQ server with CURVE or ZAP authentication enabled

Network Segmentation

linux

Restrict access to ZeroMQ ports to trusted networks only

iptables -A INPUT -p tcp --dport <zmq_port> -s <trusted_network> -j ACCEPT
iptables -A INPUT -p tcp --dport <zmq_port> -j DROP

🧯 If You Can't Patch

Enable CURVE or ZAP authentication on all ZeroMQ endpoints
Implement network controls to restrict ZeroMQ traffic to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check ZeroMQ version and authentication configuration. Run: zmq_version or check package version.

Check Version:

zmq_version or dpkg -l | grep libzmq or rpm -q zeromq

Verify Fix Applied:

Verify ZeroMQ version is 4.3.3 or higher and authentication is properly configured.

📡 Detection & Monitoring

Log Indicators:

Unexpected ZeroMQ service crashes
Memory access violation errors in application logs
Abnormal ZeroMQ connection patterns

Network Indicators:

Unusual traffic patterns to ZeroMQ ports
Crafted packets targeting ZeroMQ services

SIEM Query:

source="*zmq*" AND (event_type="crash" OR error="buffer" OR error="overflow")

📊 Metadata

CVE ID: CVE-2021-20235

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: April 1, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1921983 Issue Tracking,Patch,Third Party Advisory
https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6 Patch,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1921983 Issue Tracking,Patch,Third Party Advisory
https://github.com/zeromq/libzmq/security/advisories/GHSA-fc3w-qxf5-7hp6 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20235, you might also want to check these: