CVE-2024-29059: .NET HTTP Remoting RCE
What this means
CVE-2024-29059 is a critical vulnerability in .NET HTTP Remoting which can allow for remote code execution.
Why this is a problem
A remote code execution vulnerability could allow an attacker to send a malicious payload to the web server to cause it to execute arbitrary code. This could then be used to allow an attacker unauthorised access to the system and to sensitive data.
This requires no user intervention to exploit so is considered critical on internet facing services.
HTTP remoting is considered deprecated and can be an indication of a legacy software or service in use.
How to check if the problem is there
Check the server to determine its patch and update status.
Presence of this vulnerability could indicate that the service is:
- not receiving its monthly security and quality updates
- end of life/out of support
- not enrolled in extended security updates (ESU)
Providing that the server is receiving monthly updates from Microsoft correctly, it should have applied the necessary 2024 .NET Framework updates to fix this issue.
The specific patches to resolve this vulnerability can be found on the Microsoft Security Response website.
How to fix this
Ensure that the server continues to receive all cumulative monthly updates from Microsoft, specifically .NET framework security and quality updates.
Plan to update, upgrade, or replace the web service which replies on web remoting.
If this is not possible due to the server being out of support or end of life, consider implementing the following mitigations:
- a Web Application Firewall (WAF) or Next Generation Firewall (NGFW) product in front of the service to block malicious requests arriving at the server
- IP whitelisting
- geolocation based IP address blocking
- micro segmentation in back-end infrastructure to limit lateral movement in the event of compromise
You can also monitor web server logs via SIEM and EDR products to detect host intrusion.