CVE-2024-43483
Denial of Service vulnerability in System.Security.Cryptography.Cose (NuGet)
What is CVE-2024-43483 About?
This is a denial of service vulnerability affecting various .NET components including System.Security.Cryptography.Cose, System.IO.Packaging, and Microsoft.Extensions.Caching.Memory. It allows attackers to trigger a hash flooding attack by providing hostile input, leading to resource exhaustion and service unavailability. Exploitation appears possible with specially crafted input.
Affected Software
- System.Security.Cryptography.Cose
- >9.0.0-preview.1.24080.9, <9.0.0-rc.2.24473.5
- >8.0.0-preview.1.23110.8, <8.0.1
- System.IO.Packaging
- >9.0.0-preview.1.24080.9, <9.0.0-rc.2.24473.5
- >6.0.0-preview.1.21102.12, <6.0.1
- >8.0.0-preview.1.23110.8, <8.0.1
- Microsoft.Extensions.Caching.Memory
- >6.0.0-preview.1.21102.12, <6.0.2
- >9.0.0-preview.1.24080.9, <9.0.0-rc.2.24473.5
- >8.0.0-preview.1.23110.8, <8.0.1
Technical Details
The vulnerability in .NET components such as System.Security.Cryptography.Cose, System.IO.Packaging, and Microsoft.Extensions.Caching.Memory is related to their susceptibility to hash flooding attacks. When these components process hostile input, an attacker can craft specific data that, when hashed, causes a large number of collisions. This leads to inefficient operations (e.g., in hash tables or other data structures) that consume excessive CPU and memory resources. As a result, the application or service becomes unresponsive, culminating in a denial of service (DoS) for legitimate users. This can affect .NET 8.0 applications running on .NET 8.0.8 or earlier, .NET 6.0 applications running on .NET 6.0.33 or earlier, and applications consuming affected packages in .NET 9.0.
What is the Impact of CVE-2024-43483?
Successful exploitation may allow attackers to cause a denial of service, rendering affected .NET applications and services unavailable to legitimate users.
What is the Exploitability of CVE-2024-43483?
Exploitation of this vulnerability involves an attacker sending hostile input to an application utilizing the affected .NET components. This represents a remote attack vector. There are no explicitly stated authentication or privilege requirements, suggesting that any actor capable of sending data to the vulnerable application could initiate the attack. The complexity is moderate, requiring an understanding of hash algorithms and how to craft inputs that induce collisions efficiently. While Microsoft has not identified any mitigating factors, updating to patched versions of .NET or affected packages is required. The primary risk factor is external-facing applications that process untrusted input without sufficient validation or rate limiting, thereby exposing them to hash flooding attacks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-43483?
Available Upgrade Options
- System.IO.Packaging
- >6.0.0-preview.1.21102.12, <6.0.1 → Upgrade to 6.0.1
- System.IO.Packaging
- >8.0.0-preview.1.23110.8, <8.0.1 → Upgrade to 8.0.1
- System.IO.Packaging
- >9.0.0-preview.1.24080.9, <9.0.0-rc.2.24473.5 → Upgrade to 9.0.0-rc.2.24473.5
- System.Security.Cryptography.Cose
- >8.0.0-preview.1.23110.8, <8.0.1 → Upgrade to 8.0.1
- System.Security.Cryptography.Cose
- >9.0.0-preview.1.24080.9, <9.0.0-rc.2.24473.5 → Upgrade to 9.0.0-rc.2.24473.5
- Microsoft.Extensions.Caching.Memory
- >6.0.0-preview.1.21102.12, <6.0.2 → Upgrade to 6.0.2
- Microsoft.Extensions.Caching.Memory
- >8.0.0-preview.1.23110.8, <8.0.1 → Upgrade to 8.0.1
- Microsoft.Extensions.Caching.Memory
- >9.0.0-preview.1.24080.9, <9.0.0-rc.2.24473.5 → Upgrade to 9.0.0-rc.2.24473.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/dotnet/runtime/security/advisories/GHSA-qj66-m88j-hmgj
- https://nvd.nist.gov/vuln/detail/CVE-2024-43483
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43483
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43483
- https://github.com/dotnet/runtime
- https://osv.dev/vulnerability/GHSA-qj66-m88j-hmgj
What are Similar Vulnerabilities to CVE-2024-43483?
Similar Vulnerabilities: CVE-2023-38174 , CVE-2023-28292 , CVE-2023-29331 , CVE-2023-29328 , GHSA-gmc6-fwg3-75m5
