CVE-2021-3121: Processes may panic upon receipt of malicious protobuf messages

[joelsmith]

Issue Details

A security issue was discovered in code generated by the gogo protobuf compiler used by Kubernetes. The gogo protobuf compiler issue has been assigned CVE-2021-3121 and is also known as the “skippy peanut butter bug”.

A program which uses affected code to handle a malicious protobuf message could panic.
The Kubernetes Product Security Committee has tested the API server using a malicious message, and we believe that there is no security impact to Kubernetes. When an authenticated user sent the malicious message to the API server, a panic occurred. However, the panic handler recovered and the API server continued without interruption (except to the malicious requestor, who received no response).

Generated protobuf files are part of several Kubernetes repositories, and any downstream projects which vendor in these repos should evaluate whether there is any security impact to their project.

Affected Components and Configurations

Any golang components which use handler code created by the gogo protbuf compiler, which accept protobuf messages and do not gracefully handle panics in the unmarshalling codepath may be affected.

The following Linux command can be used to detect affected generated code within a codebase:

find . -name '*.pb.go' | \
xargs -r grep -l 'if skippy < 0' | \
xargs -r awk -e '/if skippy < 0/ {a=4} /if \(iNdEx \+ skippy\) > postIndex/ &&' \
  	  -e 'a>0 {print FILENAME " " FNR ": " $0 " // vulnerable to CVE-2021-3121"} {a--}'

Although we do not believe there is any security impact to Kubernetes, we have updated all generated protobufs out of an abundance of caution and as a courtesy to any downstream consumers who may be affected. The following PRs addressed this issue in Kubernetes:

Master branch: #98477, #101306
1.21 branch: #98477 (in 1.21.0), #101325 (in 1.21.1)
1.20 branch: #100501 (in 1.20.6), #101326 (in 1.20.7)
1.19 branch: #100515 (in 1.19.10), #101327 (in 1.19.11)
1.18 branch: #100514 (in 1.18.18), #101335 (in 1.18.19)

For other generated protobuf go handlers, the issue can be remediated by upgrading the gogo protobuf compiler to a fixed version (v1.3.2 or later), then regenerating affected protobuf code with the updated protobuf compiler.

Mitigations

Disabling support for protobuf messages may be one possible mitigation for any affected product.

Also, graceful panic handling in message handlers mitigates the bug.

Detection

If you use generated protobuf code in a product and you observe a process exiting with messages similar to the following, a malicious user may be exploiting this defect:

panic: runtime error: index out of range [-9223372036854775804]
 
goroutine 1 [running]:
v1.(*MessageName).Unmarshal(0xc000057ef8, 0xc0000161a0, 0xa, 0x10, 0xc000057ec8, 0x1)
        .../protofile.pb.go:250 +0xb86

References

• CVE-2021-3121: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3121
• GoGo Protobuf v1.3.2: https://github.com/gogo/protobuf/releases/tag/v1.3.2

[joelsmith]

/area security
/close

[k8s-ci-robot]

@joelsmith: Closing this issue.

In response to this:

/area security
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[joelsmith]

/sig security
/sig api-machinery

[fedebongio]

/triage accepted

[PushkarJ]

/label official-cve-feed

(Related to kubernetes/sig-security#1)