Attack Chain

1. Attacker crafts a malicious zserio data file containing an excessively large size value for an array, string, or blob field.
2. The attacker delivers the malicious data file to a vulnerable application that uses go-zserio for data deserialization. This could be achieved through various means, such as uploading the file to a server, sending it as an attachment, or including it in a network packet.
3. The vulnerable application receives the malicious data file and attempts to deserialize it using the go-zserio library.
4. The go-zserio library reads the large size value from the malicious data file.
5. Based on this untrusted size value, the go-zserio library attempts to allocate a large amount of memory to store the incoming data.
6. The memory allocation request consumes significant system resources, potentially exhausting available memory.
7. The system may become unresponsive or crash due to memory exhaustion.
8. The application experiences a denial-of-service condition, becoming unavailable to legitimate users.

Impact

Successful exploitation of this vulnerability can lead to a denial-of-service condition. The affected application becomes unavailable, impacting business operations and potentially causing data loss or corruption. The severity of the impact depends on the role and importance of the application within the organization’s infrastructure. It is not known how many organizations are affected by this vulnerability.

Recommendation

• Upgrade to go-zserio version 0.9.1 or later to patch the vulnerability.
• Implement input validation to check the size of arrays, strings, and blobs before deserialization, preventing excessive memory allocation.
• Deploy the Sigma rule Detect Suspicious Large Memory Allocation to identify processes allocating unusually large amounts of memory, which may indicate exploitation attempts.
• Monitor applications that use go-zserio for excessive memory consumption using system monitoring tools.