Login Sign Up

CVE-2021-29922

9.1 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass IP-based access controls by using IP addresses with leading zeros, which Rust incorrectly interprets as octal numbers. It affects all applications using Rust's standard library for IP address parsing before version 1.53.0. Attackers can potentially access restricted resources by crafting malicious IP strings.

💻 Affected Systems

Products:
  • Rust standard library
Versions: All Rust versions before 1.53.0
Operating Systems: All operating systems running affected Rust applications
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using Rust's std::net::Ipv4Addr or std::net::Ipv6Addr parsing functions is vulnerable. This includes web servers, APIs, network services, and any software performing IP-based access control.

📦 What is this software?

Rust by Rust Lang

View all CVEs affecting Rust →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of network-level access controls, allowing unauthorized access to internal services, data exfiltration, or lateral movement within networks.

🟠

Likely Case

Partial access control bypass for services relying on IP-based authentication, potentially exposing sensitive APIs or administrative interfaces.

🟢

If Mitigated

Limited impact if additional authentication layers exist beyond IP-based controls, or if affected services are not internet-facing.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted IP addresses with leading zeros (e.g., '0177.0.0.1' instead of '127.0.0.1'). The technique is well-documented in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Rust 1.53.0 and later

Vendor Advisory: https://github.com/rust-lang/rust/issues/83648

Restart Required: Yes

Instructions:

1. Update Rust toolchain to version 1.53.0 or later using rustup update. 2. Recompile all affected applications with the updated Rust version. 3. Redeploy patched applications. 4. Restart services using the updated binaries.

🔧 Temporary Workarounds

Input validation wrapper

all

Implement custom IP parsing that strips leading zeros before passing to Rust's standard library functions

// Rust code example:
fn sanitize_ip(ip_str: &str) -> String {
    ip_str.split('.').map(|octet| octet.trim_start_matches('0')).collect::<Vec<_>>().join(".")
}

Network layer filtering

linux

Use firewall rules or WAF to block requests with IP addresses containing leading zeros

# Example iptables rule (adjust as needed):
iptables -A INPUT -p tcp --dport 80 -m string --string "0" --algo bm -j DROP

🧯 If You Can't Patch

  • Implement additional authentication layers beyond IP-based controls
  • Deploy network monitoring to detect anomalous IP address patterns in requests

🔍 How to Verify

Check if Vulnerable:

Check Rust version with 'rustc --version'. If version is below 1.53.0, the system is vulnerable. Test parsing with code that compares '0177.0.0.1' and '127.0.0.1'.

Check Version:

rustc --version

Verify Fix Applied:

After updating to Rust 1.53.0+, verify that '0177.0.0.1' and '127.0.0.1' parse to different IP addresses. Run: 'rustc --version' should show 1.53.0 or higher.

📡 Detection & Monitoring

Log Indicators:

  • Log entries showing IP addresses with leading zeros (e.g., 0177.0.0.1, 00192.168.1.1)
  • Multiple authentication failures from similar IP ranges with octal notation

Network Indicators:

  • HTTP requests with X-Forwarded-For headers containing octal IP notation
  • Unusual traffic patterns from IP addresses that don't match expected ranges

SIEM Query:

source="*access.log*" AND ("0[0-9]+\.[0-9]" OR "[0-9]+\.0[0-9]+")

📊 Metadata

CVE ID: CVE-2021-29922
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Published: August 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON