Why black lists are bad: Application developers have gotten in the habit of mitigating deserialization risks by creating blacklists of classes that could be dangerous when deserialized, and as watchTowr explains, this was also Veeam’s approach when addressing CVE-2024-40711. However, history has shown that blacklists are rarely complete.”Blacklists (also known as block-lists or deny-lists) are based on a very optimistic (and provably flawed) idea that we can just make a list of all the bad classes, and we just keep a record of everything bad that can be done and update our list as and when new bad is introduced,” the researchers wrote.”Luckily, as an industry, we actually already have a list of all the bad classes in the world, and so this is flawless logic. There are a couple of bitter truths though: This is a lie. While we can agree that nowadays it’s extremely hard to find new deserialization gadgets in programming languages and frameworks (although still possible), products have their own codebase and can contain abusable classes that can be misused during deserialization,” the researchers added. “This is before we even get on to 3rd party libraries.”Veeam Backup & Replication developers maintain a list of gadgets that are blocked from being deserialized via .NET BinaryFormatter. This list is located in the code at Veeam.Backup.Common.Sources.System.IO.BinaryFormatter.blacklist.txt so when CVE-2024-40711 was discovered, their fix was to add the System.Runtime.Remoting.ObjRef gadget to it.Problem solved, until watchTowr researcher Sina Kheirkhah found more exploitable classes, System.CodeDom.Compiler.TempFileCollection and System.IO.DirectoryInfo, resulting in vulnerability CVE-2024-42455. These too were added to the blacklist.Now, watchTowr researcher Piotr Bazydlo found additional exploitable gadgets once again Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary, both of which extend the DataSet class, a very popular RCE gadged for deserialization. This is the new CVE-2025-23120 flaw patched Wednesday.In fact, exploiting CVE-2025-23120 only requires simple changes to the proof-of-concept exploit previously published for CVE-2024-42455.”We hope that we have provided yet another proof that protection of deserialization sinks with a blacklist should be illegal,” the researchers wrote. “No matter how perfect, or ‘perfecteder’ and state-of-the-art your list is, somebody will eventually find a way to abuse it.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3850731/critical-remote-code-execution-flaw-patched-in-veeam-backup-servers.html
