Denial of Service in ZeroMQ

Vulnerability

In ZeroMQ versions before 4.3.3, a denial-of-service vulnerability exists in the TCP transport handling. When a raw TCP socket is opened and connected to a ZeroMQ endpoint that is fully configured with CURVE encryption and ZAP authentication, the server application becomes unable to receive any messages from legitimate CURVE-authenticated clients. Handshakes complete successfully, and messages are delivered to the library, but they are never passed to the server application. This affects all ZeroMQ installations with TCP transport public endpoints, even those with CURVE/ZAP enabled. [1][2][3]

Exploitation

An unauthenticated remote attacker needs only to open a raw TCP connection to a ZeroMQ TCP endpoint. No authentication, user interaction, or special network position is required beyond the ability to reach the endpoint. The attacker simply connects a raw socket; the handshake with the ZeroMQ library will complete, but the attacker does not need to complete any legitimate CURVE handshake. The act of connecting causes the server to permanently lose the ability to receive messages from legitimate clients. [3]

Impact

A successfully exploited denial-of-service renders the ZeroMQ server application unable to receive any messages from legitimate clients, even after the attacker disconnects. This is a high-availability impact; the service does not crash but becomes effectively unusable for all intended communications. There is no loss of confidentiality or integrity, but the service is completely denied. [1][2][3]

Mitigation

The vulnerability is fixed in ZeroMQ version 4.3.3. Users should upgrade to this version or later. At the time of publication, no workaround existed for unpatched versions [3]. Fedora and Gentoo have released updated packages referencing the fix. [1][2][3]