Rust — CraftedSignal Threat Feed

rust-openssl Unchecked Callback Length Memory Leak

hello@craftedsignal.io — Thu, 23 Apr 2026 12:00:00 +0000

The rust-openssl crate, a Rust wrapper for the OpenSSL library, is susceptible to a high-severity vulnerability due to unchecked callback lengths within the FFI trampolines used by several functions related to PSK (Pre-Shared Key) and cookie generation. Specifically, versions 0.9.24 up to (but not including) 0.10.78 are affected. The vulnerable functions include SslContextBuilder::set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, and set_stateless_cookie_generate_cb. The issue arises because the user-provided closure’s returned usize (size) value is directly passed to OpenSSL without validation against the size of the &mut [u8] buffer provided to the closure, resulting in potential buffer overflows and memory leaks. This allows an attacker to potentially leak adjacent memory regions to a peer.

Attack Chain

An attacker crafts a malicious application or exploits an existing application using the vulnerable rust-openssl crate.
The attacker triggers one of the vulnerable callback functions (set_psk_client_callback, set_psk_server_callback, set_cookie_generate_cb, or set_stateless_cookie_generate_cb).
The vulnerable callback function executes the user-provided closure.
The user-provided closure returns a usize value indicating the intended length of the data to be written to the output buffer.
The FFI trampoline forwards this usize value directly to OpenSSL, bypassing bounds checking against the actual buffer size.
If the returned usize exceeds the allocated buffer size, OpenSSL writes beyond the buffer boundary, leading to a buffer overflow.
The buffer overflow allows the attacker to read adjacent memory regions or overwrite data, potentially leaking sensitive information or corrupting program state.
Successful exploitation could lead to information disclosure, denial of service, or potentially arbitrary code execution.

Impact

Successful exploitation of this vulnerability could lead to information disclosure, denial of service, or potentially arbitrary code execution. Given the widespread use of the rust-openssl crate in various applications, the impact could be significant, affecting numerous services and potentially exposing sensitive data. The vulnerability allows for memory leakage to peers which could have broad consequences.

Recommendation

Upgrade to rust-openssl version 0.10.78 or later to patch the vulnerability (reference: https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78).
Implement input validation and sanitization within user-provided closures to ensure that the returned usize value does not exceed the allocated buffer size, mitigating the risk even in vulnerable versions.

russh Keyboard-Interactive Authentication Denial-of-Service

hello@craftedsignal.io — Wed, 03 Jul 2024 12:00:00 +0000

A pre-authentication denial-of-service vulnerability exists in the russh crate, specifically affecting servers that implement keyboard-interactive authentication. This vulnerability allows a malicious client to crash a russh-based server by sending a malformed packet, without needing any valid credentials. The vulnerability resides in the read_userauth_info_response function within russh/src/server/encrypted.rs, where an unbounded u32 count from the client’s SSH_MSG_USERAUTH_INFO_RESPONSE message is used directly to allocate memory via Vec::with_capacity(). An attacker can exploit this by sending a large value for ’n’ (e.g., 0x10000000), leading to a massive memory allocation attempt and subsequent out-of-memory crash. This affects servers using keyboard-interactive for multi-step authentication such as TOTP or 2FA. The vulnerability exists in russh versions prior to 0.60.1.

Attack Chain

Attacker establishes a TCP connection to the russh server.
The attacker performs the initial SSH key exchange (anonymous DH handshake).
The attacker sends a USERAUTH_REQUEST message with the authentication method set to keyboard-interactive.
The server responds with Auth::Partial, indicating that keyboard-interactive authentication is in progress and prompts are required.
The attacker sends a USERAUTH_INFO_RESPONSE message with a crafted u32 value for ’n’ set to a large number, such as 0x10000000 (268435456), indicating the number of responses.
The attacker intentionally does not include any response data in the USERAUTH_INFO_RESPONSE message, to maximize the memory allocation attempt.
The server attempts to allocate memory using Vec::with_capacity(n), where n is the attacker-controlled large value, triggering excessive memory allocation.
The server exhausts available memory, leading to an out-of-memory (OOM) condition, and the server process crashes, causing a denial of service.

Impact

A successful attack results in a denial of service, crashing the russh server and affecting all active SSH sessions. Because the attack occurs before authentication, it can be executed repeatedly and quickly, preventing legitimate users from accessing the server. This can disrupt services relying on the SSH server, leading to downtime and potential data loss. An end-to-end Proof of Concept demonstrates that a russh server within a container with a 512MB memory limit can be OOM-killed by this vulnerability.

Recommendation

Upgrade to russh version 0.60.1 or later to incorporate the fix that limits the Vec::with_capacity allocation based on the remaining packet data.
Monitor network traffic for SSH USERAUTH_INFO_RESPONSE messages with unusually large response counts using the provided Sigma rule “Detect Excessive SSH Keyboard-Interactive Responses”.
Implement rate limiting or connection limits to mitigate the impact of rapid connection attempts from malicious clients.
Review and audit implementations of Handler::auth_keyboard_interactive to ensure proper input validation and resource management, especially where Auth::Partial is returned.

rustls-webpki Denial-of-Service Vulnerability via Malformed CRL BIT STRING

hello@craftedsignal.io — Tue, 09 Jan 2024 12:00:00 +0000

A denial-of-service vulnerability has been identified in the rustls-webpki crate, specifically affecting versions prior to 0.103.13 and versions between 0.104.0-alpha.1 and 0.104.0-alpha.7. The vulnerability stems from a panic within the bit_string_flags() function located in src/der.rs. This panic occurs when the function processes a malformed Certificate Revocation List (CRL) containing a BIT STRING with a content of exactly [0x00]. The issue is triggered via the issuingDistributionPoint CRL extension when CRL revocation checking is explicitly enabled through RevocationOptions and the application loads CRL data from a source controlled by an attacker. This vulnerability allows a remote attacker to cause a denial of service in applications that rely on rustls-webpki for certificate validation.

Attack Chain

Attacker obtains a certificate from a Certificate Authority (CA) that permits custom Certificate Distribution Point (CDP) URLs.
Attacker sets the CDP of the certificate to point to a server they control (e.g., cdp).
The attacker crafts a malicious CRL with a BIT STRING in the issuingDistributionPoint extension containing the byte sequence 0x00, triggering the vulnerability in bit_string_flags(). The CRL must be DER encoded and contain the following ASN.1 structure: a0 10 30 0e 30 0c 06 03 55 1d 1c 04 05 30 03 83 01 00
The attacker hosts the crafted CRL on the server specified in the CDP.
A vulnerable mTLS server configured to use CRL checking receives a connection request from a client presenting the attacker’s certificate.
The mTLS server fetches the CRL from the attacker-controlled CDP server during the TLS handshake.
The BorrowedCertRevocationList::from_der() function parses the CRL, leading to the execution of bit_string_flags() on the malformed BIT STRING.
The bit_string_flags() function panics due to an index-out-of-bounds error, resulting in a denial-of-service condition on the mTLS server.

Impact

Successful exploitation of this vulnerability leads to a denial-of-service condition. Affected applications that perform mTLS, particularly servers, become unavailable when processing connections from clients presenting certificates with malicious CRL distribution points. This can disrupt services and impact availability. The severity is high because an attacker can trigger the vulnerability remotely without authentication.

Recommendation

Upgrade to rustls-webpki version 0.103.13 or 0.104.0-alpha.7 or later to patch the vulnerability.
Deploy the Sigma rule Detect-Malformed-CRL-Bit-String to identify attempts to exploit this vulnerability by monitoring for specific byte sequences in CRL data.
Implement strict validation and sanitization of CRL data before processing it with rustls-webpki, especially when fetching CRLs from untrusted sources.