TID-326: Insecure Deserialization
Threat Description
Many object oriented languages use serialization to convert class objects into byte strings for more efficient storage or transmission. However, if an untrusted byte string is deserialized without properly validating its contents, it could be used to exploit a vulnerability in the associated library. A threat actor could send a maliciously crafted serialized object to a device to exploit a deserialization vulnerability within a device.
Threat Maturity and Evidence
Observed Adversary Behavior
Now You Serial, Now You Don’t — Systematically Hunting for Deserialization Exploits
Mandiant has reported that between the years 2019-2021 APT41 used .NET ViewState and Java deserialization vulnerabilities in their campaigns.
Known Exploited Vulnerability
Kentico Xperience Deserialization of Untrusted Data Vulnerability
“An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.”
CWE
CWE-502: Deserialization of Untrusted Data (Base)
“The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.”
CVE
Rockwell Automation ISaGRAF - CVE-2022-1118
“Connected Components Workbench, ISaGRAF Workbench, and Safety Instrumented System Workstation do not limit the objects that can be deserialized. This allows attackers to craft a malicious serialized object that, if opened by a local user in Connected Components Workbench, may result in arbitrary code execution. This vulnerability requires user interaction to be successfully exploited.”
Medtronic Paceart Optima System - CVE-2023-31222
“Deserialization of untrusted data in Microsoft Messaging Queuing Service in Medtronic’s Paceart Optima versions 1.11 and earlier on Windows allows an unauthorized user to impact a healthcare delivery organization’s Paceart Optima system cardiac device causing data to be deleted, stolen, or modified, or the Paceart Optima system being used for further network penetration via network connectivity.”
CVE-2021-4104
“JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228.”