go-zserio Unbounded Memory Allocation Vulnerability

A critical vulnerability exists in the go-zserio library, a tool used for serializing data structures, specifically in versions prior to 0.9.1. The vulnerability stems from how the library handles deserialization of arrays, strings, and byte arrays (blobs). When processing these data types, go-zserio reads a size value directly from the input data stream and uses this value to allocate memory. Because the library trusts the provided size without proper validation, a malicious actor can craft a data file containing an extremely large size value. This causes the go-zserio runtime to allocate an excessive amount of memory, potentially exhausting system resources and resulting in a denial-of-service (DoS) condition. The vulnerable library could be integrated into any application that parses untrusted data using go-zserio.

Attack Chain

1. Attacker crafts a malicious zserio data file containing an excessively large size value for an array, string, or blob field.
2. The attacker delivers the malicious data file to a vulnerable application that uses go-zserio for data deserialization. This could be achieved through various means, such as uploading the file to a server, sending it as an attachment, or including it in a network packet.
3. The vulnerable application receives the malicious data file and attempts to deserialize it using the go-zserio library.
4. The go-zserio library reads the large size value from the malicious data file.
5. Based on this untrusted size value, the go-zserio library attempts to allocate a large amount of memory to store the incoming data.
6. The memory allocation request consumes significant system resources, potentially exhausting available memory.
7. The system may become unresponsive or crash due to memory exhaustion.
8. The application experiences a denial-of-service condition, becoming unavailable to legitimate users.

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service condition. The affected application becomes unavailable, impacting business operations and potentially causing data loss or corruption. The severity of the impact depends on the role and importance of the application within the organization’s infrastructure. It is not known how many organizations are affected by this vulnerability.

Recommendation

• Upgrade to go-zserio version 0.9.1 or later to patch the vulnerability.
• Implement input validation to check the size of arrays, strings, and blobs before deserialization, preventing excessive memory allocation.
• Deploy the Sigma rule Detect Suspicious Large Memory Allocation to identify processes allocating unusually large amounts of memory, which may indicate exploitation attempts.
• Monitor applications that use go-zserio for excessive memory consumption using system monitoring tools.