CVE-2021-45711
📋 TL;DR
This vulnerability in the simple_asn1 Rust crate causes a panic when parsing malicious ASN.1 UTCTime data with a second character greater than 0x7f. Attackers can trigger denial of service by sending specially crafted data to applications using this library. Any Rust application using simple_asn1 0.6.0 for parsing untrusted ASN.1 data is affected.
💻 Affected Systems
- Rust applications using simple_asn1 crate
📦 What is this software?
Simple Asn1 by Simple Asn1 Project
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service causing application crashes and service unavailability, potentially leading to cascading failures in dependent systems.
Likely Case
Application crashes when processing malicious ASN.1 data, resulting in temporary service disruption until restart.
If Mitigated
Minimal impact with proper input validation and error handling that catches panics before they crash the application.
🎯 Exploit Status
Exploitation requires sending specially crafted ASN.1 data to trigger the panic. The vulnerability is simple to exploit with knowledge of ASN.1 encoding.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: simple_asn1 0.6.1
Vendor Advisory: https://rustsec.org/advisories/RUSTSEC-2021-0125.html
Restart Required: Yes
Instructions:
1. Update Cargo.toml to require simple_asn1 >=0.6.1
2. Run 'cargo update simple_asn1'
3. Rebuild and redeploy your application
4. Restart affected services
🔧 Temporary Workarounds
Input validation wrapper
allWrap ASN.1 parsing with custom validation that rejects UTCTime data with invalid second characters
Implement custom parser that validates UTCTime second character <= 0x7f before passing to simple_asn1
🧯 If You Can't Patch
- Implement network-level filtering to block or sanitize ASN.1 data containing UTCTime with second character > 0x7f
- Deploy application-level panic recovery mechanisms to catch and handle panics without crashing
🔍 How to Verify
Check if Vulnerable:
Check Cargo.lock or Cargo.toml for 'simple_asn1 = "0.6.0"'Check Version:
grep -A2 -B2 simple_asn1 Cargo.lock || grep simple_asn1 Cargo.tomlVerify Fix Applied:
Verify Cargo.lock contains 'simple_asn1 = "0.6.1"' or higher📡 Detection & Monitoring
Log Indicators:
- Application panic logs mentioning 'simple_asn1' or 'UTCTime'
- Sudden application crashes without clear error messages
- Increased restart frequency of affected services
Network Indicators:
- ASN.1 data packets containing UTCTime with second byte > 0x7f
- Unusual spikes in malformed ASN.1 traffic
SIEM Query:
source="application.logs" AND ("panic" OR "simple_asn1" OR "UTCTime")🔗 References
- https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/simple_asn1/RUSTSEC-2021-0125.md
- https://rustsec.org/advisories/RUSTSEC-2021-0125.html
- https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/simple_asn1/RUSTSEC-2021-0125.md
- https://rustsec.org/advisories/RUSTSEC-2021-0125.html
