CVE-2024-48924

{"id": "CVE-2024-48924", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 8.7, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "NONE", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "vulnerableSystemConfidentiality": "NONE", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-10-17T21:15:14.070", "references": [{"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/commit/8e599af0798b45008f8b293a7f233e4878f11ed5", "source": "security-advisories@github.com"}, {"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/commit/f8d40b3ad0be01c6e56cb51ecea81f59d98c192d", "source": "security-advisories@github.com"}, {"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-4qm4-8hg2-g2xm", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-328"}]}], "descriptions": [{"lang": "en", "value": "### Impact\n\nWhen this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by an attacker that sends data contrived to produce hash collisions, leading to large CPU consumption disproportionate to the size of the data being deserialized.\n\nThis is similar to [a prior advisory](https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf), which provided an inadequate fix for the hash collision part of the vulnerability.\n\n### Patches\n\nThe following steps are required to mitigate this risk.\n\n1. Upgrade to a version of the library where a fix is available.\n1. Review the steps in [this previous advisory](https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf) to ensure you have your application configured for untrusted data.\n\n### Workarounds\n\nIf upgrading MessagePack to a patched version is not an option for you, you may apply a manual workaround as follows:\n\n1. Declare a class that derives from `MessagePackSecurity`.\n2. Override the `GetHashCollisionResistantEqualityComparer<T>` method to provide a collision-resistant hash function of your own and avoid calling `base.GetHashCollisionResistantEqualityComparer<T>()`.\n3. Configure a `MessagePackSerializerOptions` with an instance of your derived type by calling `WithSecurity` on an existing options object.\n4. Use your custom options object for all deserialization operations. This may be by setting the `MessagePackSerializer.DefaultOptions` static property, if you call methods that rely on this default property, and/or by passing in the options object explicitly to any `Deserialize` method.\n\n### References\n\n- Learn more about best security practices when reading untrusted data with [MessagePack 1.x](https://github.com/MessagePack-CSharp/MessagePack-CSharp/tree/v1.x#security) or [MessagePack 2.x](https://github.com/MessagePack-CSharp/MessagePack-CSharp#security).\n- The .NET team's [discussion on hash collision vulnerabilities of their `HashCode` struct](https://github.com/GrabYourPitchforks/runtime/blob/threat_models/docs/design/security/System.HashCode.md).\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* [Start a public discussion](https://github.com/MessagePack-CSharp/MessagePack-CSharp/discussions)\n* [Email us privately](mailto:andrewarnott@live.com)"}, {"lang": "es", "value": "### Impacto Cuando esta librer\u00eda se utiliza para deserializar datos de un paquete de mensajes de una fuente no confiable, existe el riesgo de un ataque de denegaci\u00f3n de servicio por parte de un atacante que env\u00eda datos dise\u00f1ados para producir colisiones de hash, lo que lleva a un gran consumo de CPU desproporcionado al tama\u00f1o de los datos que se deserializan. Esto es similar a [un aviso anterior](https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf), que proporcion\u00f3 una soluci\u00f3n inadecuada para la parte de colisi\u00f3n de hash de la vulnerabilidad. ### Parches Se requieren los siguientes pasos para mitigar este riesgo. 1. Actualice a una versi\u00f3n de la librer\u00eda donde haya una soluci\u00f3n disponible. 1. Revise los pasos en [este aviso anterior](https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-7q36-4xx7-xcxf) para asegurarse de que su aplicaci\u00f3n est\u00e9 configurada para datos no confiables. ### workarounds Si actualizar MessagePack a una versi\u00f3n parcheada no es una opci\u00f3n para usted, puede aplicar un workaround manual de la siguiente manera: 1. Declare una clase que derive de `MessagePackSecurity`. 2. Anule el m\u00e9todo `GetHashCollisionResistantEqualityComparer` para proporcionar una funci\u00f3n hash resistente a colisiones propia y evitar llamar a `base.GetHashCollisionResistantEqualityComparer()`. 3. Configure `MessagePackSerializerOptions` con una instancia de su tipo derivado llamando a `WithSecurity` en un objeto de opciones existente. 4. Utilice su objeto de opciones personalizado para todas las operaciones de deserializaci\u00f3n. Esto puede hacerse configurando la propiedad est\u00e1tica `MessagePackSerializer.DefaultOptions`, si llama a m\u00e9todos que dependen de esta propiedad predeterminada, y/o pasando el objeto de opciones expl\u00edcitamente a cualquier m\u00e9todo `Deserialize`. ### Referencias: Obtenga m\u00e1s informaci\u00f3n sobre las mejores pr\u00e1cticas de seguridad al leer datos no confiables con [MessagePack 1.x](https://github.com/MessagePack-CSharp/MessagePack-CSharp/tree/v1.x#security) o [MessagePack 2.x](https://github.com/MessagePack-CSharp/MessagePack-CSharp#security). - El equipo .NET [discusi\u00f3n sobre las vulnerabilidades de colisi\u00f3n de hash de su estructura `HashCode`](https://github.com/GrabYourPitchforks/runtime/blob/threat_models/docs/design/security/System.HashCode.md). ### Para obtener m\u00e1s informaci\u00f3n Si tiene alguna pregunta o comentario sobre este aviso: * [Inicie una discusi\u00f3n p\u00fablica](https://github.com/MessagePack-CSharp/MessagePack-CSharp/discussions) * [Env\u00edenos un correo electr\u00f3nico privado](mailto:andrewarnott@live.com)"}], "lastModified": "2024-10-18T12:52:33.507", "sourceIdentifier": "security-advisories@github.com"}