CVE-2021-28027
📋 TL;DR
This vulnerability in the bam crate for Rust allows integer underflow and out-of-bounds write during bgzip block loading. Attackers can exploit this to execute arbitrary code or cause denial of service. Any Rust application using vulnerable versions of the bam crate is affected.
💻 Affected Systems
- Rust applications using bam crate
📦 What is this software?
Bam by Bam Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise
Likely Case
Application crash or denial of service
If Mitigated
Limited impact with proper memory protections and sandboxing
🎯 Exploit Status
Proof of concept available in advisory; exploitation requires processing malicious bgzip files
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: bam crate version 0.1.3 or later
Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0027.html
Restart Required: Yes
Instructions:
1. Update Cargo.toml to require bam >= 0.1.3
2. Run 'cargo update' to fetch new version
3. Rebuild and redeploy application
4. Restart affected services
🔧 Temporary Workarounds
Disable bgzip processing
allTemporarily disable functionality that processes bgzip files
Input validation
allImplement strict validation of bgzip files before processing
🧯 If You Can't Patch
- Isolate affected applications in network segments
- Implement strict file upload controls and scanning for bgzip files
🔍 How to Verify
Check if Vulnerable:
Check Cargo.lock for bam crate version < 0.1.3Check Version:
grep -A2 'name = "bam"' Cargo.lockVerify Fix Applied:
Verify Cargo.lock shows bam crate version >= 0.1.3📡 Detection & Monitoring
Log Indicators:
- Application crashes with memory access violations
- Unexpected process termination
Network Indicators:
- Unusual file uploads with .bgz or .bgzip extensions
SIEM Query:
process:terminated AND (memory_access_violation OR segmentation_fault)