{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/messagepack/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Nerdbank.MessagePack (\u003c 1.1.62)"],"_cs_severities":["high"],"_cs_tags":["denial-of-service","stack-overflow","messagepack"],"_cs_type":"advisory","_cs_vendors":["NuGet"],"content_html":"\u003cp\u003eNerdbank.MessagePack versions prior to 1.1.62 are vulnerable to an uncontrolled stack allocation vulnerability. This flaw allows an attacker to craft a malicious MessagePack payload that declares an oversized timestamp extension length. When the application attempts to deserialize this payload and encounters a \u003ccode\u003eDateTime\u003c/code\u003e value, the reader allocates an attacker-controlled number of bytes on the stack. This excessive allocation results in a \u003ccode\u003eStackOverflowException\u003c/code\u003e, causing the application to terminate. This vulnerability impacts applications that deserialize MessagePack data from untrusted sources and can lead to denial-of-service conditions. Defenders should prioritize patching or implementing workarounds to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious MessagePack payload with an invalid timestamp extension length (not 4, 8, or 12 bytes).\u003c/li\u003e\n\u003cli\u003eThe target application receives the malicious MessagePack payload from an untrusted source.\u003c/li\u003e\n\u003cli\u003eThe application attempts to deserialize the MessagePack data using Nerdbank.MessagePack.\u003c/li\u003e\n\u003cli\u003eDuring deserialization, the \u003ccode\u003eDateTime\u003c/code\u003e decoder encounters the malicious timestamp extension.\u003c/li\u003e\n\u003cli\u003eThe decoder derives \u003ccode\u003etokenSize\u003c/code\u003e from the attacker-controlled extension length \u003cem\u003ebefore\u003c/em\u003e validating its size.\u003c/li\u003e\n\u003cli\u003eThe unvalidated size is used in a \u003ccode\u003estackalloc\u003c/code\u003e on the streaming reader\u0026rsquo;s slow path, allocating an excessive amount of stack memory.\u003c/li\u003e\n\u003cli\u003eThe excessive stack allocation triggers a \u003ccode\u003eStackOverflowException\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eStackOverflowException\u003c/code\u003e terminates the application process, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition due to process termination. The vulnerability affects applications deserializing MessagePack data from untrusted sources, particularly those handling long-running processes such as services, APIs, workers, or message consumers. Even small malicious payloads can trigger the vulnerability due to the attacker-controlled extension length. This could potentially disrupt critical business functions relying on affected applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Nerdbank.MessagePack version 1.1.62 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement pre-validation of MessagePack extension headers, rejecting timestamp extensions with lengths other than 4, 8, or 12 bytes, as suggested in the advisory [GHSA-2cwq-pwfr-wcw3].\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Nerdbank MessagePack Suspicious Stack Allocation\u0026rdquo; to detect potential exploitation attempts in your environment.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not feasible, consider running deserialization of untrusted payloads in isolated processes that can be safely restarted, as described in [GHSA-2cwq-pwfr-wcw3].\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-nerdbank-stack-overflow/","summary":"A malicious MessagePack payload can trigger a StackOverflowException in Nerdbank.MessagePack due to an uncontrolled stack allocation when decoding DateTime values with oversized timestamp extension lengths, leading to process termination.","title":"Nerdbank.MessagePack DateTime Decoding Stack Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-nerdbank-stack-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Messagepack","version":"https://jsonfeed.org/version/1.1"}