CVE-2021-45692 – This vulnerability in the messagepack-rs Rust c... (How to Fix)

📋 TL;DR

This vulnerability in the messagepack-rs Rust crate allows attackers to read uninitialized memory during deserialization of certain extension types. This can lead to information disclosure or potentially remote code execution if combined with other vulnerabilities. Any Rust application using vulnerable versions of messagepack-rs for deserializing untrusted MessagePack data is affected.

💻 Affected Systems

Products:

messagepack-rs Rust crate

Versions: All versions through 2021-01-26

Operating Systems: All operating systems running Rust applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the deserialize_extension_others functionality with untrusted input

📦 What is this software?

Messagepack Rs by Messagepack Rs Project

View all CVEs affecting Messagepack Rs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if combined with memory corruption vulnerabilities

🟠

Likely Case

Information disclosure of sensitive memory contents, potentially including application secrets or user data

🟢

If Mitigated

Limited impact if only trusted data sources are used or proper input validation is implemented

🌐 Internet-Facing: HIGH - Applications accepting untrusted MessagePack data over network interfaces are directly vulnerable

🏢 Internal Only: MEDIUM - Internal services processing MessagePack data could be exploited through lateral movement

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires crafting malicious MessagePack extension data and triggering deserialization

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to messagepack-rs 0.8.0 or later

Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0092.html

Restart Required: Yes

Instructions:

1. Update Cargo.toml to require messagepack-rs >= 0.8.0
2. Run 'cargo update messagepack-rs'
3. Rebuild and redeploy your application
4. Restart affected services

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict input validation to reject untrusted MessagePack extension data

Network segmentation

all

Isolate services using messagepack-rs from untrusted networks

🧯 If You Can't Patch

Implement strict input validation to reject all MessagePack extension types
Use network controls to limit access to affected services to trusted sources only

🔍 How to Verify

Check if Vulnerable:

Check Cargo.lock or run 'cargo tree | grep messagepack-rs' to see if version <= 0.7.0 is used

Check Version:

cargo tree | grep messagepack-rs

Verify Fix Applied:

Verify messagepack-rs version is >= 0.8.0 in Cargo.lock and rebuild application

📡 Detection & Monitoring

Log Indicators:

Application crashes during MessagePack deserialization
Unexpected memory access errors in Rust panic logs

Network Indicators:

Unusual MessagePack traffic patterns
Large or malformed MessagePack payloads

SIEM Query:

source="application_logs" AND ("panic" OR "abort") AND "messagepack"

📊 Metadata

CVE ID: CVE-2021-45692

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-908

Published: December 27, 2021

Last Updated: November 21, 2024

🔗 References

https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/messagepack-rs/RUSTSEC-2021-0092.md Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2021-0092.html Third Party Advisory
https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/messagepack-rs/RUSTSEC-2021-0092.md Third Party Advisory
https://rustsec.org/advisories/RUSTSEC-2021-0092.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-45692, you might also want to check these: