CVE-2021-38192 – This vulnerability in the prost-types Rust crat... (How to Fix)

📋 TL;DR

This vulnerability in the prost-types Rust crate allows integer overflow when converting Timestamp to SystemTime, potentially causing crashes or undefined behavior. It affects Rust applications using prost-types versions before 0.8.0 for timestamp handling.

💻 Affected Systems

Products:

prost-types Rust crate

Versions: All versions before 0.8.0

Operating Systems: All platforms running Rust applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Rust applications using prost-types for timestamp conversions.

📦 What is this software?

Prost by Prost Project

View all CVEs affecting Prost →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Denial of service through application crashes, or potential memory corruption leading to arbitrary code execution in worst-case scenarios.

🟠

Likely Case

Application crashes or unexpected behavior when processing malformed timestamp data.

🟢

If Mitigated

Minimal impact if proper input validation and error handling are implemented.

🌐 Internet-Facing: MEDIUM - Applications processing untrusted timestamp data from external sources are at risk.

🏢 Internal Only: LOW - Internal systems with controlled timestamp inputs have lower risk.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to provide malformed timestamp data to vulnerable conversion functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.8.0 and later

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0073.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to require prost-types >= 0.8.0
2. Run 'cargo update prost-types'
3. Rebuild and redeploy application
4. Restart affected services

🔧 Temporary Workarounds

Input validation

all

Implement validation of timestamp values before conversion

Dependency pinning

all

Pin prost-types to patched version in Cargo.lock

cargo update --package prost-types --precise 0.8.0

🧯 If You Can't Patch

Implement strict input validation for all timestamp data
Wrap timestamp conversion calls in try-catch blocks with proper error handling

🔍 How to Verify

Check if Vulnerable:

Check Cargo.toml or Cargo.lock for prost-types version < 0.8.0

Check Version:

grep prost-types Cargo.lock | grep version

Verify Fix Applied:

Verify prost-types >= 0.8.0 in Cargo.lock and test timestamp conversions

📡 Detection & Monitoring

Log Indicators:

Application crashes during timestamp processing
Panic messages related to integer overflow

Network Indicators:

Unusual timestamp values in incoming data

SIEM Query:

source="application.log" AND ("panic" OR "overflow" OR "timestamp")

📊 Metadata

CVE ID: CVE-2021-38192

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-120

Published: August 8, 2021

Last Updated: November 21, 2024

🔗 References

https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/prost-types/RUSTSEC-2021-0073.md Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2021-0073.html Exploit,Issue Tracking,Patch,Third Party Advisory
https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/prost-types/RUSTSEC-2021-0073.md Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2021-0073.html Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38192, you might also want to check these: