mwulftange opened a new issue, #212: URL: https://github.com/apache/logging-log4net/issues/212
For applications that continue to use the removed `RemotingAppender` (see apache/logging-log4net#154) and thus the inherently insecure .NET Remoting (see [*Teaching the Old .NET Remoting New Exploitation Tricks*][1]), the following mitigation measures could be helpful. ## Restrict Access to .NET Remoting Service .NET Remoting provides some [server channel properties](https://learn.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/bb397831(v=vs.100)) that can help to enhance security: - add authentication **and** authorization: - `secure` (requires Windows authentication, though '[Anonymous Logon](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-special-identities-groups#anonymous-logon)' or any other authenticated user also works) - `authorizationModule` (requires an additional class implementing [`IAuthorizeRemotingConnection`](https://msdn.microsoft.com/en-us/library/ms147015(v=vs.100))as authorization authority) - bind the TCP server to specific interfaces to reduce exposure: - `bindTo` (specific IP) / `rejectRemoteRequests` (loopback only) This can be done either [programmatically][2] or [in the configuration file][3], for example: ```diff <system.runtime.remoting> <application name="Log4netRemotingServer"> <!-- We need to define the remoting channels on which we will publish the remote logging sink. --> <channels> - <channel displayName="Server Channel" ref="tcp server" port="8085" /> + <channel displayName="Server Channel" ref="tcp server" port="8085" + secure="true" + authorizationModule="Example.MyAuthorizeRemotingConnection" + rejectRemoteRequests="true" /> </channels> </application> </system.runtime.remoting> ``` Additional attributes in `<channel>` are passed to the `IChannel` constructor (here `TcpServerChannel`) as `properties`. This also works in the application's configuration file (e.g., [`RemotingServer.exe.config`](https://github.com/apache/logging-log4net/blob/rel/2.0.17/examples/net/2.0/Remoting/RemotingServer/cs/src/App.config#L50-L58)) without requiring a rebuild of the application. [1]: https://code-white.com/blog/teaching-the-old-net-remoting-new-exploitation-tricks/ [2]: https://learn.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/yb02e5ze(v=vs.100) [3]: https://learn.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/a2hy8w8y(v=vs.100) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
