CVE-2021-3345 – This vulnerability is a heap-based buffer overf... (How to Fix)

Q: What is the severity of CVE-2021-3345?

CVE-2021-3345 has a CVSS score of 7.8 (HIGH). This vulnerability is a heap-based buffer overflow in Libgcrypt's _gcry_md_block_write function when processing large count values during digest finalization. It affects systems using Libgcrypt 1.9.0 for cryptographic operations, potentially allowing attackers to execute arbitrary code or cause denial of service.

📋 TL;DR

This vulnerability is a heap-based buffer overflow in Libgcrypt's _gcry_md_block_write function when processing large count values during digest finalization. It affects systems using Libgcrypt 1.9.0 for cryptographic operations, potentially allowing attackers to execute arbitrary code or cause denial of service.

💻 Affected Systems

Products:

Libgcrypt
GnuPG
Applications using Libgcrypt library

Versions: Libgcrypt version 1.9.0 only

Operating Systems: Linux, Unix-like systems, Any OS running Libgcrypt

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects version 1.9.0; earlier versions are not vulnerable. Applications must use the vulnerable digest finalization function with large count values.

📦 What is this software?

Communications Billing And Revenue Management by Oracle

View all CVEs affecting Communications Billing And Revenue Management →

Libgcrypt by Gnupg

View all CVEs affecting Libgcrypt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or ransomware deployment.

🟠

Likely Case

Denial of service through application crashes or system instability when processing malicious inputs.

🟢

If Mitigated

Limited impact if systems are patched, use proper input validation, or have exploit mitigations like ASLR and stack canaries.

🌐 Internet-Facing: MEDIUM - Exploitation requires specific conditions but could affect services using Libgcrypt for cryptographic operations exposed to untrusted inputs.

🏢 Internal Only: MEDIUM - Internal applications using vulnerable Libgcrypt versions could be exploited through malicious internal traffic or compromised systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires control over the count parameter in digest finalization, which may require specific application conditions. No public exploits have been documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Libgcrypt 1.9.1 or later

Vendor Advisory: https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html

Restart Required: Yes

Instructions:

1. Check current Libgcrypt version with 'libgcrypt-config --version'. 2. Download Libgcrypt 1.9.1+ from https://gnupg.org/download/. 3. Compile and install following the INSTALL instructions. 4. Restart any services using Libgcrypt.

🔧 Temporary Workarounds

Downgrade to Libgcrypt 1.8.x

linux

Revert to a non-vulnerable version if upgrading to 1.9.1 is not immediately possible.

apt-get install libgcrypt20=1.8.5-5ubuntu1 (example for Ubuntu)
yum downgrade libgcrypt-1.8.5 (example for RHEL)

🧯 If You Can't Patch

Implement strict input validation in applications using Libgcrypt to prevent large count values.
Use exploit mitigations like ASLR, stack canaries, and memory protection mechanisms.

🔍 How to Verify

Check if Vulnerable:

Run 'libgcrypt-config --version' and check if output is exactly '1.9.0'.

Check Version:

libgcrypt-config --version

Verify Fix Applied:

After patching, run 'libgcrypt-config --version' and confirm version is 1.9.1 or higher.

📡 Detection & Monitoring

Log Indicators:

Application crashes or segmentation faults in processes using Libgcrypt
Unexpected memory access errors in system logs

Network Indicators:

Unusual network traffic to services using cryptographic functions
Anomalous payload sizes in cryptographic operations

SIEM Query:

source=*log* AND ("segmentation fault" OR "buffer overflow") AND process="*libgcrypt*"

📊 Metadata

CVE ID: CVE-2021-3345

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: January 29, 2021

Last Updated: November 21, 2024

🔗 References

https://bugs.gentoo.org/show_bug.cgi?id=767814 Issue Tracking,Vendor Advisory
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=512c0c75276949f13b6373b5c04f7065af750b08
https://gnupg.org Vendor Advisory
https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html Mailing List,Vendor Advisory
https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html Mailing List,Patch,Vendor Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Third Party Advisory
https://bugs.gentoo.org/show_bug.cgi?id=767814 Issue Tracking,Vendor Advisory
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git%3Ba=commit%3Bh=512c0c75276949f13b6373b5c04f7065af750b08
https://gnupg.org Vendor Advisory
https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000455.html Mailing List,Vendor Advisory
https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html Mailing List,Patch,Vendor Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3345, you might also want to check these: