CVE-2022-1941: Parsing Vulnerability in ProtocolBuffers MessageSet Type Leading to Out of Memory Failures and Potential Denial of Service

A significant parsing vulnerability dubbed CVE-2022-1941 has been uncovered in the ProtocolBuffers (Protobuf) library for C++ (protobuf-cpp) and Python (protobuf-python) versions as listed below:

Protobuf-Python: Up to and including 3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1, and 4.21.5

This vulnerability arises when parsing MessageSet type instances containing multiple key-value pairs per element, which can result in unexpected out-of-memory failures. Consequently, the affected systems can experience Denial of Service (DoS) if they receive unsanitized input from external sources.

To protect against this threat, it is highly recommended that users upgrade to the following patched versions:

Protobuf-Python: 3.18.3, 3.19.5, 3.20.2, 4.21.6

Please note that versions 3.16 and 3.17 are no longer maintained and updated.

Code Snippet

To illustrate the issue faced, let's take a look at a simple example. Consider the following Protobuf schema in a '.proto' file:

syntax = "proto3";
message ExampleMessage {
  repeated KeyValue kv_pairs = 1;
}
message KeyValue {
  string key = 1;
  string value = 2;
}

If an attacker sends malformed data with multiple key-value pairs per element, it could trigger the vulnerability and cause out of memory failures. The following is an example of such malformed data:

{
  "kv_pairs": [
    {
      "key": "first_key",
      "value": "first_value",
      "key": "second_key",
      "value": "second_value"
    }
  ]
}

Exploit Details

An attacker taking advantage of this vulnerability could craft a malicious message containing numerous or large key-value pairs per element, causing the affected systems to encounter memory exhaustion issues. Consequently, the resulting out-of-memory failures could lead to a DoS situation, rendering the targeted services impaired or completely unavailable for legitimate users.

Mitigation Measures

- Upgrade your protobuf-cpp installations to any of the following patched versions: 3.18.3, 3.19.5, 3.20.2, 3.21.6
- Upgrade your protobuf-python installations to any of these patched versions: 3.18.3, 3.19.5, 3.20.2, 4.21.6
- As a best practice, always sanitize user input to prevent the processing of untrusted data, thus reducing the risk of exploitation.

Original References

For more information on the details and background of CVE-2022-1941, please refer to the original sources:
- CVE-2022-1941 on the MITRE CVE database
- ProtocolBuffers GitHub Repository for details about the affected versions and corresponding patches.

Conclusion

CVE-2022-1941 is a critical parsing vulnerability found in the ProtocolBuffers (Protobuf) library, specifically within the MessageSet type, affecting both protobuf-cpp and protobuf-python versions. An attacker exploiting this flaw could potentially cause a Denial of Service against the targeted services, leading to impaired or complete unavailability. To defend against this threat, users must upgrade to the available patched versions and consistently sanitize user input to prevent processing unauthenticated data.

Timeline

Published on: 09/22/2022 15:15:00 UTC
Last modified on: 09/27/2022 23:15:00 UTC