The .NET ecosystem is affected by a similar flaw that has wreaked havoc among Java apps and developers in 2016.
The flaw is in how .NET coding libraries handle deserialization operations, leading to situations where attackers can execute code on servers or computers handling deserialized data.
Attacks via deserialization operations have been known since 2011, but they became everyone's problem in early 2015 when two researchers — Chris Frohoff and Gabriel Lawrence — found a deserialization flaw in the Apache Commons Collection, a very popular Java application.
Researchers from Foxglove Security expanded on the initial work in late 2015, showing how an attacker could use a deserialization flaw in Java applications where developers have incorrectly used the Apache Commons Collection library to handle deserialization operations.
Their experiments showed that an attacker could upload malicious data inside popular Java apps such as WebLogic, WebSphere, JBoss, Jenkins, and OpenNMS. This data would be serialized and stored in a database or in memory, but when the app would deserialize it to use the content of the serialized data, it would also execute additional malicious code on affected systems.
The Java deserialization flaw was so dangerous that Google engineers banded together in their free time to repair open-source Java libraries and limit the flaw's reach, patching over 2,600 projects.
Internally at Google, the flaw was referenced to as Mad Gadget, but the world referred to it as the Java Apocalypse.
Now, new research from two HPE software security researchers — Alvaro Muñoz and Oleksandr Mirosh — reveal that a similar deserialization flaw affects the .NET ecosystem.
Just like with Java apps, the flaw is in how .NET libraries handle serialized data during deserialization, allowing an attacker to sneak in code that gets executed on a target's machine.
Just like in the Java world, the flaw is not always present. Some .NET libraries are not affected, and applications that use affected libraries are safe just because programmers treat serialized data as insecure and don't allow it access to certain functions and methods.
In their research paper, Muñoz and Mirosh focused their research on analyzing deserialization flaws in .NET and Java libraries that work with JSON data.
On page 5, researchers included reviews for all the .NET and Java apps they analyzed, pointing out which ones are safe and how developers should use them to avoid deserialization attacks when working with JSON data.
To show that the flaw they discovered can affect real-world apps, and is not just a theoretical threat, researchers identified: CVE-2017-9424 — a JSON deserialization flaw in Breeze, a .NET data management backend framework; and CVE-2017-9785 — a JSON deserialization flaw in NancyFX, a lightweight .NET web framework based on Ruby's Sinatra.
Besides JSON deserialization, the flaw is present in other libraries that handle deserialization of XML data objects as well. Researchers also identified CVE-2017-9822 — an XML deserialization flaw in DotNetNuke, today's most used .NET CMS.
As mentioned above, these flaws are a combination of vulnerabilities in .NET libraries but also bad coding practices on behalf of developers, who fail to recognize that serialized data is not necessarily secure by default.
Addressing the flaw would require security improvements to many .NET libraries, but also some conscious effort on the part of regular programmers.
"Serializers are security sensitive APIs and should not be used with untrusted data. This is not a problem specific to Java serialization, a specifc .NET formatter or any specific formats such as JSON, XML or Binary," researchers say. "All serializers need to reconstruct objects and will normally invoke methods that attackers will try to abuse to initiate gadget chains leading to arbitrary code execution."