Discovery of a critical open-source vulnerability - CVE-2021-46703
YieldDD recently discovered a vulnerability in a widely used open-source software package. Attackers exploiting this vulnerability might gain access and take control over a user's or a company’s system. YieldDD has reported this finding, via MITRE ATT&CK, to the NIST which has classified it as critical: CVE-2021-46703.
During a software due diligence for one of our clients, YieldDD Senior Consultant Gerben van de Wiel found a critical vulnerability in the IsolatedRazorEngine component of Antaris RazorEngine. This open source templating engine allows the use of Microsoft's Razor syntax to build dynamic templates, for example emails or invoices. While the isolated component creates a sandbox, a security mechanism to mitigate system failures and/or software vulnerabilities from spreading.
However, Gerben found how it is possible to escape the AppDomain sandbox created by the IsolatedRazorEngine. He discovered a way to open up the possibility to call any .NET code without the restriction of the sandbox, which in turn leads to a Remote Code Execution vulnerability. A vulnerability that could have potentially given him control over our client’s system. Or any system using this component, for that matter. Meaning, an malicious attacker could exploit this vulnerability by, for example, running malware.
Together with our client we have eliminated this vulnerability. And we have taken steps to mitigate this risk for others. YieldDD has submitted this finding to MITRE ATT&CK, a globally-accessible knowledge base of adversary tactics and techniques. The US National Institute of Standards and Technologies (NIST) has registered it in its National Vulnerability Database under CVE-2021-46703 and labelled it 'critical'.
The IsolatedRazorEngine component was last updated in 2017 and is no longer supported by the maintainer. To find out if this particular issue causes any risks for you or to discuss the security risks associated with the use of open source code in general, then please contact us.
For more detailed information on this software vulnerability, a technical explanation from Gerben: