CVE-2021-21401 – This vulnerability in Nanopb's Protocol Buffers... (How to Fix)

Q: What is the severity of CVE-2021-21401?

CVE-2021-21401 has a CVSS score of 7.1 (HIGH). This vulnerability in Nanopb's Protocol Buffers implementation allows specially crafted messages to trigger invalid memory operations (free/realloc) when parsing untrusted data. It affects systems using vulnerable versions of Nanopb that decode messages containing specific oneof field configurations. The issue can lead to crashes or potential code execution.

📋 TL;DR

This vulnerability in Nanopb's Protocol Buffers implementation allows specially crafted messages to trigger invalid memory operations (free/realloc) when parsing untrusted data. It affects systems using vulnerable versions of Nanopb that decode messages containing specific oneof field configurations. The issue can lead to crashes or potential code execution.

💻 Affected Systems

Products:

Nanopb Protocol Buffers implementation

Versions: All versions before 0.3.9.8 and before 0.4.5

Operating Systems: All platforms using C/C++ (Linux, Windows, macOS, embedded systems)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects configurations where Nanopb is used to parse messages containing oneof fields with mixed pointer/non-pointer types from untrusted sources.

📦 What is this software?

Nanopb by Nanopb Project

View all CVEs affecting Nanopb →

Nanopb by Nanopb Project

View all CVEs affecting Nanopb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if an attacker can control the invalid pointer value and memory layout is favorable.

🟠

Likely Case

Application crash (denial of service) due to invalid memory operations when parsing malicious messages.

🟢

If Mitigated

No impact if messages are validated before parsing or if the vulnerability is patched.

🌐 Internet-Facing: MEDIUM - Exploitation requires sending specially crafted messages to vulnerable parsers, but such messages are rare in normal traffic.

🏢 Internal Only: LOW - Requires parsing of untrusted data within internal systems, which is less common than internet-facing scenarios.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting specific message structures that rarely occur naturally, making reliable exploitation challenging but possible with reverse engineering.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.3.9.8 or 0.4.5

Vendor Advisory: https://github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88

Restart Required: Yes

Instructions:

1. Identify Nanopb version in use. 2. Update to version 0.3.9.8 (for 0.3.x branch) or 0.4.5 (for 0.4.x branch). 3. Recompile all applications using Nanopb. 4. Restart affected services.

🔧 Temporary Workarounds

Input validation

all

Validate all incoming messages before passing to Nanopb parser to ensure they don't contain the specific oneof field patterns that trigger the vulnerability.

Memory hardening

linux

Enable address sanitizers (ASAN) and other memory protection mechanisms to detect and prevent invalid memory operations.

gcc -fsanitize=address -o program program.c

🧯 If You Can't Patch

Implement strict input validation to reject messages with suspicious oneof field structures
Isolate Nanopb parsing to sandboxed or containerized environments with limited privileges

🔍 How to Verify

Check if Vulnerable:

Check Nanopb version in source code or build configuration. If version is <0.3.9.8 or <0.4.5, the system is vulnerable.

Check Version:

grep -r "NANOPB_VERSION" ./*.h or check nanopb.h header file for version defines

Verify Fix Applied:

Verify the Nanopb version is 0.3.9.8 or higher (0.3.x branch) or 0.4.5 or higher (0.4.x branch). Test with known malicious messages to ensure no crashes occur.

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults or invalid pointer errors during message parsing
Unexpected free() or realloc() errors in system logs

Network Indicators:

Unusual Protocol Buffers message patterns with specific oneof field structures
High volume of malformed message attempts to parsing endpoints

SIEM Query:

source="application.log" AND ("segmentation fault" OR "invalid pointer" OR "free(): invalid pointer") AND process="*nanopb*"

📊 Metadata

CVE ID: CVE-2021-21401

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

CWE: CWE-763

Published: March 23, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/nanopb/nanopb/blob/c9124132a604047d0ef97a09c0e99cd9bed2c818/CHANGELOG.txt#L1 Release Notes,Third Party Advisory
https://github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261 Patch,Third Party Advisory
https://github.com/nanopb/nanopb/issues/647 Exploit,Issue Tracking,Third Party Advisory
https://github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88 Exploit,Patch,Third Party Advisory
https://github.com/nanopb/nanopb/blob/c9124132a604047d0ef97a09c0e99cd9bed2c818/CHANGELOG.txt#L1 Release Notes,Third Party Advisory
https://github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261 Patch,Third Party Advisory
https://github.com/nanopb/nanopb/issues/647 Exploit,Issue Tracking,Third Party Advisory
https://github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88 Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21401, you might also want to check these: