CVE-2021-20236 – A stack buffer overflow vulnerability in ZeroMQ... (How to Fix)

Q: What is the severity of CVE-2021-20236?

CVE-2021-20236 has a CVSS score of 9.8 (CRITICAL). A stack buffer overflow vulnerability in ZeroMQ servers before version 4.3.3 allows malicious clients to execute arbitrary code or crash the server by sending crafted topic subscription requests followed by unsubscribe commands. This affects any system running vulnerable ZeroMQ server instances, particularly those exposed to untrusted clients. The vulnerability compromises confidentiality, integrity, and availability.

📋 TL;DR

A stack buffer overflow vulnerability in ZeroMQ servers before version 4.3.3 allows malicious clients to execute arbitrary code or crash the server by sending crafted topic subscription requests followed by unsubscribe commands. This affects any system running vulnerable ZeroMQ server instances, particularly those exposed to untrusted clients. The vulnerability compromises confidentiality, integrity, and availability.

💻 Affected Systems

Products:

ZeroMQ (libzmq)
Any software using vulnerable ZeroMQ library

Versions: All versions before 4.3.3

Operating Systems: All platforms running ZeroMQ

Default Config Vulnerable: ⚠️ Yes

Notes: Affects ZeroMQ servers that handle PUB/SUB patterns with topic subscriptions. Both default and custom configurations are vulnerable if using affected versions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and persistent backdoor installation

🟠

Likely Case

Server crash causing denial of service and potential data corruption in connected applications

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, potentially just service disruption

🌐 Internet-Facing: HIGH - Exploitable remotely without authentication, CVSS 9.8 indicates critical risk for exposed systems

🏢 Internal Only: MEDIUM - Still exploitable by malicious insiders or compromised internal systems, but attack surface is reduced

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specific crafted subscription/unsubscribe sequences. Public proof-of-concept demonstrates crash, but full RCE may require additional exploitation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.3.3 and later

Vendor Advisory: https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8

Restart Required: Yes

Instructions:

1. Update ZeroMQ library to version 4.3.3 or later. 2. Recompile any applications using ZeroMQ. 3. Restart all ZeroMQ services and dependent applications.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict ZeroMQ server access to trusted clients only using firewall rules

iptables -A INPUT -p tcp --dport [ZEROMQ_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [ZEROMQ_PORT] -j DROP

Disable Vulnerable Patterns

all

If possible, avoid using PUB/SUB patterns with topic subscriptions in vulnerable versions

🧯 If You Can't Patch

Implement strict network access controls to limit ZeroMQ server exposure to only essential, trusted clients
Monitor for abnormal subscription/unsubscribe patterns and implement rate limiting on subscription requests

🔍 How to Verify

Check if Vulnerable:

Check ZeroMQ version: zmq --version or examine linked library version in applications

Check Version:

zmq --version || ldd /path/to/application | grep libzmq || dpkg -l | grep libzmq || rpm -qa | grep zeromq

Verify Fix Applied:

Confirm version is 4.3.3 or higher: zmq --version | grep -q '4\.3\.[3-9]\|4\.[4-9]\|5\.'

📡 Detection & Monitoring

Log Indicators:

Multiple rapid subscription/unsubscribe requests
ZeroMQ server crashes or segmentation faults
Abnormal memory usage patterns

Network Indicators:

Unusual subscription patterns from single clients
Multiple SUB/UNSUB commands in short timeframes

SIEM Query:

source="zeromq.log" AND ("segmentation fault" OR "buffer overflow" OR "subscription" AND "unsubscribe" within 1s)

📊 Metadata

CVE ID: CVE-2021-20236

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: May 28, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1921976 Issue Tracking,Third Party Advisory
https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8 Patch,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1921976 Issue Tracking,Third Party Advisory
https://github.com/zeromq/libzmq/security/advisories/GHSA-qq65-x72m-9wr8 Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20236, you might also want to check these: