OpenMcdf Denial-of-Service Vulnerability Due to Directory Cycle Handling

A denial-of-service vulnerability has been identified in OpenMcdf, a .NET library for manipulating Compound File Binary (CFB) files. Prior to version 3.1.3, OpenMcdf's directory traversal methods did not detect cycles in the red-black tree structure of CFB documents. This oversight allowed crafted CFB files with cyclical references in the directory entry chain to cause infinite loops in key library functions, such as 'Storage.EnumerateEntries()' and 'Storage.OpenStream()'. As a result, the affected thread could be consumed indefinitely, with no possibility of recovery through standard exception handling.

Impact

Exploitation of this vulnerability leads to an infinite loop, causing applications to hang indefinitely while processing the crafted CFB file. This behavior can result in significant resource consumption, as the application's memory usage grows unboundedly during the loop. The issue persists without any error being thrown, leaving the calling process unrecoverable without forcefully terminating it.

Reproduction

The vulnerability can be reproduced by creating a CFB file that includes a cycle in the 'LeftSiblingID' and 'RightSiblingID' chain. Once this file is prepared, it can be opened using OpenMcdf's 'RootStorage.Open()' method. The 'Storage.EnumerateEntries()' method can then be called, which will enter an infinite loop, repeatedly yielding the same directory entry without exiting. Alternatively, the 'Storage.OpenStream()' method can be used, which will also cause the application to hang, depending on the structure of the cycle.

Remediation

Users can upgrade to OpenMcdf version 3.1.3 or later, where this vulnerability has been patched.