AjaxPro.NET Professional Deserialization RCE (CVE-2021-23758)
Description
This vulnerability affects web applications using the AjaxPro.NET library in configurations that permit deserialization of arbitrary object types. Deserialization is the process of converting serialized data back into objects, and when performed on untrusted input without proper validation, attackers can instantiate malicious objects that execute arbitrary code. The affected AjaxPro.NET configuration lacks sufficient type restrictions during the deserialization process, allowing remote attackers to craft malicious payloads that exploit this weakness.
Remediation
Upgrade the AjaxPro.NET library to the latest patched version that addresses CVE-2021-23758. Consult the official AjaxPro.NET repository or security advisories to identify the specific fixed version for your deployment.
As additional defense-in-depth measures:
• Implement strict input validation and type whitelisting for all deserialization operations
• Avoid deserializing data from untrusted sources whenever possible
• Consider using safer serialization formats like JSON with explicit type handling
• Apply the principle of least privilege to the application's service account to limit the impact of potential exploitation
• Monitor for unusual DNS queries or outbound connections that may indicate exploitation attempts