CVE-2021-45690 – This vulnerability in the messagepack-rs Rust c... (How to Fix)

📋 TL;DR

This vulnerability in the messagepack-rs Rust crate allows attackers to read uninitialized memory during binary deserialization. This can lead to information disclosure, memory corruption, or potential remote code execution. Any Rust application using vulnerable versions of messagepack-rs for deserializing untrusted data is affected.

💻 Affected Systems

Products:

messagepack-rs Rust crate

Versions: All versions through 2021-01-26

Operating Systems: All platforms running Rust applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only applications using the deserialize_binary function are vulnerable. Applications not using binary deserialization may not be affected.

📦 What is this software?

Messagepack Rs by Messagepack Rs Project

View all CVEs affecting Messagepack Rs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or service disruption.

🟠

Likely Case

Information disclosure through memory leaks, potentially exposing sensitive data like encryption keys or credentials.

🟢

If Mitigated

Limited impact if only trusted data sources are used and proper input validation is implemented.

🌐 Internet-Facing: HIGH - Applications accepting untrusted serialized data over network interfaces are at significant risk.

🏢 Internal Only: MEDIUM - Internal services processing serialized data could still be vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted binary data to the deserialization function. The advisory includes proof-of-concept details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to messagepack-rs 0.8.1 or later

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0092.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to require messagepack-rs >= 0.8.1
2. Run 'cargo update messagepack-rs'
3. Rebuild and redeploy your application
4. Restart affected services

🔧 Temporary Workarounds

Disable binary deserialization

all

Avoid using deserialize_binary function with untrusted data

Input validation

all

Implement strict validation of incoming serialized data before processing

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable services
Deploy Web Application Firewall (WAF) rules to block suspicious serialized data patterns

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or Cargo.toml for messagepack-rs version <= 0.8.0

Check Version:

grep messagepack-rs Cargo.lock | grep version

Verify Fix Applied:

Verify messagepack-rs version >= 0.8.1 in Cargo.lock after update

📡 Detection & Monitoring

Log Indicators:

Memory access violations
Unexpected process crashes during deserialization
Abnormal memory usage patterns

Network Indicators:

Unusual binary data patterns in network traffic to deserialization endpoints

SIEM Query:

process:crash AND (messagepack OR deserialize_binary) OR memory:violation AND application:rust

📊 Metadata

CVE ID: CVE-2021-45690

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-908

Published: December 27, 2021

Last Updated: November 21, 2024

🔗 References

https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/messagepack-rs/RUSTSEC-2021-0092.md Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2021-0092.html Third Party Advisory
https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/messagepack-rs/RUSTSEC-2021-0092.md Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2021-0092.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45690, you might also want to check these: