CVE-2024-48924: MessagePack-CSharp DoS Vulnerability

CVE-2024-48924 Overview

CVE-2024-48924 is a Denial of Service vulnerability in the MessagePack-CSharp library that affects applications deserializing messagepack data from untrusted sources. An attacker can send specially crafted data designed to produce hash collisions, leading to disproportionately large CPU consumption relative to the size of the data being processed. This vulnerability represents an inadequate fix for a prior security advisory (GHSA-7q36-4xx7-xcxf) that addressed the hash collision component of the vulnerability.

Critical Impact

Applications using MessagePack-CSharp to deserialize untrusted data are vulnerable to resource exhaustion attacks that can render services unavailable through algorithmic complexity exploitation.

Affected Products

• MessagePack-CSharp library (versions prior to security patch)
• MessagePack.UnityClient implementations
• Applications deserializing MessagePack data from untrusted sources

Discovery Timeline

• October 17, 2024 - CVE-2024-48924 published to NVD
• October 18, 2024 - Last updated in NVD database

Technical Details for CVE-2024-48924

Vulnerability Analysis

This vulnerability falls under CWE-328 (Reversible One-Way Hash) and represents an Algorithmic Complexity Attack targeting the deserialization process. The root issue lies in the hash collision resistance mechanism used when processing MessagePack data structures. When the library encounters dictionary or hash-based data structures during deserialization, it relies on hash functions to organize and access data efficiently. An attacker can craft input data with keys specifically designed to produce hash collisions, forcing the hash table into worst-case O(n) performance instead of the expected O(1) average case.

The attack is network-accessible without requiring authentication or user interaction, making it particularly dangerous for internet-facing services that accept MessagePack-formatted data. The vulnerability specifically affects the GetHashCollisionResistantEqualityComparer<T> method in the MessagePackSecurity class, where the previous fix proved inadequate in providing sufficient collision resistance.

Root Cause

The vulnerability stems from the use of a weak or predictable hash algorithm in the equality comparer implementation. The prior advisory attempted to address this by implementing collision-resistant equality comparers, but the fix was incomplete. The HashCode struct used in .NET has known limitations regarding hash collision resistance when facing adversarial inputs, as documented in the .NET team's threat model discussion. The security patches introduce SipHash, a cryptographically stronger hash function designed to resist hash-flooding attacks.

Attack Vector

The attack requires an attacker to send MessagePack-formatted data to an application that deserializes this data using the vulnerable library. The attacker crafts the data with dictionary keys that produce hash collisions when processed by the weak hash function. This causes hash table operations to degrade from constant time to linear time, resulting in exponential CPU consumption. The attack can be executed remotely over the network without authentication, targeting any endpoint that accepts and deserializes MessagePack data.

// Security patch introducing SipHash - Source: GitHub Commit
    <Compile Include="..\..\src\MessagePack\SafeBitConverter.cs">
      <Link>Code\SafeBitConverter.cs</Link>
    </Compile>
+    <Compile Include="..\..\src\MessagePack\SipHash.cs">
+      <Link>Code\SipHash.cs</Link>
+    </Compile>
    <Compile Include="..\..\src\MessagePack\MessagePackCode.cs">
      <Link>Code\MessagePackCode.cs</Link>
    </Compile>

Source: GitHub Commit 8e599af

Detection Methods for CVE-2024-48924

Indicators of Compromise

• Abnormally high CPU utilization during MessagePack deserialization operations
• Increased request processing times for endpoints accepting MessagePack data
• Memory consumption spikes correlated with incoming MessagePack requests
• Application timeouts or unresponsiveness when processing specific payloads

Detection Strategies

• Monitor CPU utilization patterns on services processing MessagePack data, looking for sustained spikes
• Implement request timeout monitoring to detect slow deserialization operations
• Review application dependencies to identify vulnerable MessagePack-CSharp versions
• Analyze incoming MessagePack payloads for unusually high numbers of dictionary keys

Monitoring Recommendations

• Set up alerts for CPU usage exceeding baseline thresholds on MessagePack-processing services
• Monitor request latency metrics for deserialization endpoints
• Implement rate limiting on endpoints that accept MessagePack data from untrusted sources
• Configure application performance monitoring to track deserialization operation durations

How to Mitigate CVE-2024-48924

Immediate Actions Required

• Upgrade MessagePack-CSharp to the latest patched version immediately
• Review and implement security configurations for untrusted data as outlined in the prior security advisory
• Audit all application endpoints that accept MessagePack-formatted data from untrusted sources
• Implement input size limits and request rate limiting as defense-in-depth measures

Patch Information

The vulnerability has been addressed through the introduction of SipHash, a collision-resistant hash function. The patches are available in commits 8e599af0798b45008f8b293a7f233e4878f11ed5 and f8d40b3ad0be01c6e56cb51ecea81f59d98c192d. Organizations should update to the latest version of MessagePack-CSharp that includes these fixes. For detailed security guidance, refer to the official documentation for MessagePack 1.x or MessagePack 2.x.

Workarounds

• Create a custom class deriving from MessagePackSecurity and override GetHashCollisionResistantEqualityComparer<T> to provide a collision-resistant hash function
• Configure MessagePackSerializerOptions with an instance of the custom security class using WithSecurity
• Apply the custom options object to all deserialization operations via MessagePackSerializer.DefaultOptions or explicit parameter passing
• Avoid calling base.GetHashCollisionResistantEqualityComparer<T>() in the custom implementation

# Custom MessagePackSecurity implementation workaround
public class CustomMessagePackSecurity : MessagePackSecurity
{
    protected override IEqualityComparer<T> GetHashCollisionResistantEqualityComparer<T>()
    {
        // Implement your own collision-resistant hash function
        // Do NOT call base.GetHashCollisionResistantEqualityComparer<T>()
        return new CustomCollisionResistantComparer<T>();
    }
}

// Configure options with custom security
var options = MessagePackSerializerOptions.Standard
    .WithSecurity(new CustomMessagePackSecurity());
MessagePackSerializer.DefaultOptions = options;