WARNING: CRLF INJECTION IN REFIT LIBRARY .NET CORE, XAMARIN AND .NET PATCH IMMEDIATELY!

Reference:
Advisory #2024-261

Version:
1.0

Affected software:
Refit .NET Core, Xamarin and .NET

Type:
CRLF Injection (Carriage Return Line Feed Injection)

CVE/CVSS:
CVE-2024-51501: CVSS 10.0(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)

Sources

NVD - https://nvd.nist.gov/vuln/detail/CVE-2024-51501

Risks

The various header-related Refit attributes (Header, HeaderCollection and Authorize) are vulnerable to CRLF injection, eventually leading to gaining unauthorized access to internal systems or services.

Description

Refit versions prior to 7.2.22 and 8.0.0 are vulnerable to CRLF injection via header-related attributes. Attackers can inject additional HTTP headers or smuggle requests, enabling request splitting and Server-Side Request Forgery (SSRF) in web applications.

If an application using the Refit library passes a user-controllable value through to a header, then that application becomes vulnerable to CRLF-injection.

Recommended Actions

This issue has been addressed in release versions 7.2.22 and 8.0.0 and all users are advised to upgrade.

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Snyk Security - https://security.snyk.io/vuln/SNYK-DOTNET-REFIT-8344796