Listen to this Post
The vulnerability exists in the `AzureVmMetaDataRequestor` class of the OpenTelemetry.Resources.Azure library. This class makes HTTP GET requests to the Azure VM instance metadata service endpoint at http://169.254.169.254` to collect resource attributes. The request uses `HttpClient` with default settings, which buffers the entire HTTP response body into a `MemoryStream` before processing. An attacker who controls this endpoint (e.g., via DNS spoofing, ARP poisoning, or a malicious configured endpoint) or performs a Man-in-the-Middle (MitM) attack can return an arbitrarily large response body, for example a 10 GiB payload. The consuming code does not check `Content-Length` headers nor impose any read limit. As the client reads the response, the allocation grows unbounded on the managed heap, triggering high memory pressure, long garbage collection pauses, and eventually anOutOfMemoryException. This crashes the application process (Denial of Service). The default metadata service returns small JSON documents (< 64 KiB), but the lack of a size limit transforms a trusted endpoint into a vulnerability when that endpoint is compromised or impersonated. The fix introduces a 4 MiB response size cap and switches to streaming (HttpCompletionOption.ResponseHeadersRead`) to avoid buffering.
dailycve form:
Platform: .NET library
Version: <1.15.0-beta.2
Vulnerability: Unbounded memory allocation
Severity: Medium
date: 2025-01-15 (estimated disclosure)
Prediction: Patch already available
What Undercode Say:
Simulate malicious metadata server returning 5 GB garbage nc -l 169.254.169.254 80 <<< "HTTP/1.1 200 OK\r\nContent-Length: 5000000000\r\n\r\n$(dd if=/dev/zero bs=1M count=5000 2>/dev/null)" Check process memory usage before exploit ps aux | grep dotnet After exploit, monitor OOM killer or process termination dmesg | grep -i "out of memory"
// Vulnerable code snippet (pre‑fix) var response = await _httpClient.GetAsync(endpoint); byte[] body = await response.Content.ReadAsByteArrayAsync(); // fully buffered // Fixed code (streaming + 4 MiB limit) var request = new HttpRequestMessage(HttpMethod.Get, endpoint); var response = await _httpClient.SendAsync(request, HttpCompletionOption.ResponseHeadersRead); using var stream = await response.Content.ReadAsStreamAsync(); var buffer = new byte[4 1024 1024]; int read = await stream.ReadAsync(buffer);
Exploit:
Attacker routes traffic to a rogue HTTP server returning `Content-Length: 4294967295` and infinite bogus data. Victim’s .NET process exhausts memory within seconds, causing crash.
Protection from this CVE:
Upgrade to OpenTelemetry.Resources.Azure >=1.15.0-beta.2. If upgrade impossible, disable Azure VM resource detector via `OTEL_DOTNET_AUTO_AZURE_RESOURCE_DETECTION_ENABLED=false` or apply firewall rules blocking port 80 to 169.254.254.254 except for legitimate IMDS traffic (note: IMDS uses 169.254.169.254). Use mTLS or network policies to prevent MitM on internal networks.
Impact:
Denial of Service – remote attacker with MitM capability or control of metadata endpoint crashes any .NET application using the vulnerable library to detect Azure resources. No data leakage or privilege escalation; only availability loss.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
