Description

.NET Remoting is a Microsoft technology for interprocess communication. Acunetix detected a .NET Remoting over HTTP endpoint on the web application. The technology depends on SoapFormater serialization mechanism which is vulnerable to deserialization attack by default.

Remediation

Restrict access to the .NET Remoting endpoint.

References

Finding and Exploiting .NET Remoting over HTTP using Deserialisation

Related Vulnerabilities

PHP Deserialization of Untrusted Data Vulnerability (CVE-2007-1701)

Jenkins Deserialization of Untrusted Data Vulnerability (CVE-2017-1000353)

WordPress 4.7.x Multiple Vulnerabilities (4.7 - 4.7.18)

Flex BlazeDS AMF Deserialization RCE

WordPress Plugin CiviCRM Remote Code Execution (5.24.2)

Severity

High

Classification

CWE-502 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Insecure Deserialization