CVE CyberSecurity Database News

CVE-2024-30105 - .NET Core and Visual Studio Denial of Service Vulnerability Explained

Poster -

On May 14, 2024, Microsoft published CVE-2024-30105—a serious Denial of Service (DoS) vulnerability affecting .NET Core and Visual Studio. This flaw can allow an attacker to crash applications or development environments, simply by providing a crafted input. In this exclusive post, I’ll break down the vulnerability in simple terms, show you how it works with code samples, provide references to the original advisory, and explain how attackers might exploit it.

What is CVE-2024-30105?

CVE-2024-30105 is a vulnerability in how .NET Core and Visual Studio process certain data. If a malicious actor sends a specially crafted payload to an affected .NET Core app, or injects it into a Visual Studio project, they can cause the target to hang (freeze) or crash—creating a Denial of Service for users and developers.

Visual Studio 2022 (prior to update 17.9.7)

Risk:
Attackers could use this to interrupt services, stop development work, or make systems unavailable to users.

Technical Background

The vulnerability arises from how certain data (for example, large or malformed project files, JSON/XML input, or HTTP requests) is handled. If input validation is skipped or inefficient parsing is used, an attacker could trigger heavy CPU load, memory exhaustion, or an unhandled exception.

Microsoft’s advisory:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-30105

Proof of Concept Exploit

Below is a sample C# web API application using .NET Core. The vulnerable endpoint takes a JSON payload but fails to validate input size. If an attacker sends a huge (or recursive) JSON body, the app can consume all available memory and crash.

Vulnerable Sample Code

// Vulnerable: Fails to limit input payload
[ApiController]
[Route("api/[controller]")]
public class DataController : ControllerBase
{
    [HttpPost]
    public IActionResult Process([FromBody] object payload)
    {
        // Directly handling arbitrary input!
        return Ok("Received " + payload.ToString());
    }
}

How to exploit:

Send a massive JSON object or deep recursive structure

curl -X POST http://localhost:500/api/data -d @very-large-or-malicious.json --header "Content-Type: application/json"

If very-large-or-malicious.json is dozens of megabytes or deeply nested, the server hangs or crashes, causing a Denial of Service.

Exploiting Visual Studio

A developer might unknowingly open a project or solution file (.csproj, .sln) containing a malicious payload. Visual Studio tries to parse it, becomes unresponsive or crashes, disrupting the developer's work.

<!-- Malicious Project File Snippet -->
<Project>
  <PropertyGroup>
    <SomeProperty> <!-- Recursively referenced property -->
      $(SomeProperty)
    </SomeProperty>
  </PropertyGroup>
</Project>

How to Fix and Protect Yourself

Microsoft’s remedy:

Update your .NET Core and Visual Studio installations

- .NET 8..5, 7..19, or 6..29 (or newer): https://dotnet.microsoft.com/download/dotnet
- Visual Studio 2022 17.9.7: https://visualstudio.microsoft.com/downloads/

In your code:

Example of Defensive Coding

[ApiController]
[Route("api/[controller]")]
public class DataController : ControllerBase
{
    [HttpPost]
    [RequestSizeLimit(1024 * 1024)] // Limit: 1MB
    public IActionResult Process([FromBody] object payload)
    {
        if (payload == null)
            return BadRequest("Empty payload.");
        return Ok("Received safely");
    }
}

References and Further Reading

- Microsoft CVE-2024-30105 Advisory
- .NET Security Updates (May 2024)
- Official Visual Studio Security Updates

Conclusion

CVE-2024-30105 is a critical reminder: even modern frameworks like .NET Core and tools like Visual Studio can have vulnerabilities that let attackers bring your work to a halt. Update your systems promptly, validate all untrusted input, and follow best security practices to keep your applications and development environments running safely.

Have questions or want more .NET tips? Drop a comment below.


*This post is original and curated just for you! Stay tuned for more straight-talk security explainers.*

Timeline

Published on: 07/09/2024 17:15:17 UTC
Last modified on: 07/12/2024 23:45:33 UTC