CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
AI Score
Confidence
High
Decoding a specifically formed message can cause invalid free()
or realloc()
calls if the message type contains an oneof
field, and the oneof
directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed.
Preliminary patch is available on git for 0.4.x and 0.3.x branches. The fix will be released in versions 0.3.9.8 and 0.4.5 once testing has been completed.
Following workarounds are available:
no_unions
for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code.FT_POINTER
. This ensures that the data contained inside the union
is always a valid pointer.free()
provide a partial mitigation. Depending on the message type, the pointer value may be attacker controlled and can be used to bypass heap protections.Bug report: https://github.com/nanopb/nanopb/issues/647
If you have any questions or comments about this advisory, comment on the bug report linked above.
github.com/nanopb/nanopb
github.com/nanopb/nanopb/blob/c9124132a604047d0ef97a09c0e99cd9bed2c818/CHANGELOG.txt#L1
github.com/nanopb/nanopb/commit/4a375a560651a86726e5283be85a9231fd0efe9c
github.com/nanopb/nanopb/commit/e2f0ccf939d9f82931d085acb6df8e9a182a4261
github.com/nanopb/nanopb/issues/647
github.com/nanopb/nanopb/security/advisories/GHSA-7mv5-5mxh-qg88
github.com/pypa/advisory-database/tree/main/vulns/nanopb/PYSEC-2021-432.yaml
nvd.nist.gov/vuln/detail/CVE-2021-21401
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
AI Score
Confidence
High