CVE-2024-20672 Overview
CVE-2024-20672 is a Denial of Service (DoS) vulnerability affecting Microsoft .NET Framework. This vulnerability allows unauthenticated remote attackers to cause a denial of service condition in applications built on the .NET platform. The flaw stems from improper resource consumption handling (CWE-400: Uncontrolled Resource Consumption), which can be exploited to exhaust system resources and render affected applications unresponsive.
Critical Impact
Remote attackers can exploit this vulnerability without authentication to cause application unavailability, potentially disrupting business-critical services running on .NET infrastructure.
Affected Products
- Microsoft .NET Framework (multiple versions)
- Applications built on vulnerable .NET runtime versions
- Systems running unpatched .NET environments
Discovery Timeline
- January 9, 2024 - CVE-2024-20672 published to NVD
- March 28, 2025 - Last updated in NVD database
Technical Details for CVE-2024-20672
Vulnerability Analysis
This vulnerability is classified as CWE-400 (Uncontrolled Resource Consumption), a type of flaw where an application fails to properly limit the resources it consumes. In the context of Microsoft .NET, this means the framework does not adequately control resource allocation when processing certain requests or data, leading to potential resource exhaustion.
The attack can be executed remotely over the network without requiring authentication or user interaction, making it particularly dangerous for internet-facing .NET applications. When exploited, the vulnerability causes the targeted application to consume excessive system resources, ultimately leading to service degradation or complete unavailability.
Root Cause
The root cause of CVE-2024-20672 lies in inadequate resource management within the .NET framework. Specifically, certain operations do not properly bound resource consumption, allowing attackers to craft malicious inputs that trigger excessive memory, CPU, or other resource utilization. This uncontrolled consumption pattern enables denial of service attacks against applications running on affected .NET versions.
Attack Vector
The vulnerability is exploitable remotely over the network (AV:N) with low attack complexity (AC:L). No privileges or user interaction are required for successful exploitation. An attacker can send specially crafted requests to a vulnerable .NET application to trigger the resource exhaustion condition.
The attack impacts availability exclusively—there is no compromise of data confidentiality or integrity. However, for applications requiring high availability, this vulnerability poses a significant operational risk.
The exploitation mechanism involves sending malformed or specially constructed input to the .NET application that causes the framework to enter an uncontrolled resource consumption state. For detailed technical information, refer to the Microsoft Security Advisory.
Detection Methods for CVE-2024-20672
Indicators of Compromise
- Sudden spikes in memory or CPU utilization by .NET processes
- Application pool crashes or recycling in IIS hosting .NET applications
- Unusual network traffic patterns targeting .NET-based web services
- Service unavailability errors (HTTP 503) from .NET web applications
Detection Strategies
- Monitor .NET application performance metrics for abnormal resource consumption patterns
- Implement application-level logging to track request patterns and identify potential DoS attempts
- Configure Windows Performance Monitor to alert on elevated CLR Memory and ASP.NET counter values
- Deploy network intrusion detection systems (IDS) to identify malicious request patterns
Monitoring Recommendations
- Enable detailed logging for .NET applications to capture request characteristics before crashes
- Set up automated alerting for .NET process memory thresholds exceeding normal baselines
- Monitor event logs for System.OutOfMemoryException or similar resource exhaustion errors
- Implement health check endpoints to proactively detect application unresponsiveness
How to Mitigate CVE-2024-20672
Immediate Actions Required
- Apply the latest .NET security updates from Microsoft immediately
- Identify all systems running vulnerable .NET versions using software inventory tools
- Prioritize patching internet-facing .NET applications due to the remote exploitation vector
- Consider temporarily restricting access to vulnerable applications if patching is delayed
Patch Information
Microsoft has released security updates to address CVE-2024-20672. Administrators should consult the Microsoft Security Response Center advisory for specific patch details and affected version information. Additionally, NetApp customers should review the NetApp Security Advisory NTAP-20250328-0006 for guidance on affected NetApp products utilizing .NET components.
Workarounds
- Implement rate limiting at the network or application layer to reduce DoS impact
- Deploy a Web Application Firewall (WAF) with rules to filter potentially malicious requests
- Configure application pool recycling thresholds in IIS to automatically recover from resource exhaustion
- Use load balancers with health checks to route traffic away from unresponsive instances
# Example: Configure IIS Application Pool recycling for resource limits
# Set private memory limit (KB) - adjust based on your environment
%windir%\system32\inetsrv\appcmd set apppool /apppool.name:"DefaultAppPool" /recycling.periodicRestart.privateMemory:1048576
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
