CVE-2021-36155
📋 TL;DR
CVE-2021-36155 is a denial-of-service vulnerability in gRPC Swift's LengthPrefixedMessageReader that allows remote attackers to cause uncontrolled resource consumption by forcing the allocation of arbitrarily large buffers. This affects all applications using gRPC Swift 1.1.0 or earlier for network communication. The vulnerability can lead to service disruption through memory exhaustion.
💻 Affected Systems
- gRPC Swift
📦 What is this software?
Grpc Swift by Linuxfoundation
Grpc Swift by Linuxfoundation
Grpc Swift by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage due to memory exhaustion, potentially affecting multiple services in containerized environments where memory limits are shared.
Likely Case
Degraded performance or temporary service unavailability for affected endpoints, requiring restart of impacted services.
If Mitigated
Minimal impact with proper memory limits and monitoring in place, allowing for quick detection and recovery.
🎯 Exploit Status
The vulnerability is straightforward to exploit by sending specially crafted messages with large length prefixes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.0 and later
Vendor Advisory: https://github.com/grpc/grpc-swift/security/advisories/GHSA-rxmj-hg9v-vp3p
Restart Required: Yes
Instructions:
1. Update gRPC Swift dependency to version 1.2.0 or later. 2. Rebuild and redeploy your application. 3. Restart affected services.
🔧 Temporary Workarounds
Implement message size limits
allConfigure gRPC to reject messages exceeding a reasonable size threshold
// In gRPC Swift configuration: maxReceiveMessageLength = 1048576 // 1MB limit
Network filtering
allUse WAF or network filtering to block messages with suspicious length prefixes
🧯 If You Can't Patch
- Implement strict memory limits and monitoring for gRPC services
- Use rate limiting and input validation at the network perimeter
🔍 How to Verify
Check if Vulnerable:
Check your Package.swift or Package.resolved file for gRPC Swift version. If version is 1.1.0 or earlier, you are vulnerable.Check Version:
grep -r "grpc-swift" Package.swift || grep -r "grpc-swift" Package.resolvedVerify Fix Applied:
Verify that gRPC Swift version is 1.2.0 or later in your dependency files and rebuilt application.📡 Detection & Monitoring
Log Indicators:
- Unusual memory consumption spikes
- Process crashes due to memory exhaustion
- Repeated connection failures to gRPC services
Network Indicators:
- Large incoming messages to gRPC endpoints
- Sudden increase in network traffic to specific gRPC ports
SIEM Query:
source="application_logs" AND ("out of memory" OR "memory allocation failed") AND process="*grpc*"🔗 References
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35303
- https://github.com/grpc/grpc-swift/releases
- https://github.com/grpc/grpc-swift/security/advisories/GHSA-rxmj-hg9v-vp3p
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35303
- https://github.com/grpc/grpc-swift/releases
- https://github.com/grpc/grpc-swift/security/advisories/GHSA-rxmj-hg9v-vp3p
