Discovery of a critical open-source vulnerability - CVE-2021-46703

Eliminating a vulnerability that could be exploited by a malicious attacker

During a software due diligence for one of our clients, YieldDD Senior Consultant Gerben van de Wiel found a critical vulnerability in the IsolatedRazorEngine component of Antaris RazorEngine. This open source templating engine allows the use of Microsoft's Razor syntax to build dynamic templates, for example emails or invoices. While the isolated component creates a sandbox, a security mechanism to mitigate system failures and/or software vulnerabilities from spreading.

However, Gerben found how it is possible to escape the AppDomain sandbox created by the IsolatedRazorEngine. He discovered a way to open up the possibility to call any .NET code without the restriction of the sandbox, which in turn leads to a Remote Code Execution vulnerability. A vulnerability that could have potentially given him control over our client’s system. Or any system using this component, for that matter. This means that a malicious attacker could exploit this vulnerability by, for example, running malware.

Together with our client, we have eliminated this vulnerability. And we have taken steps to mitigate this risk for others. YieldDD has submitted this finding to MITRE ATT&CK, a globally-accessible knowledge base of adversary tactics and techniques. The US National Institute of Standards and Technologies (NIST) has registered it in its National Vulnerability Database under CVE-2021-46703 and labelled it 'critical'.

The IsolatedRazorEngine component was last updated in 2017 and is no longer supported by the maintainer. To find out if this particular issue causes any risks for you or to discuss the security risks associated with the use of open source code in general, please contact us.

For more detailed information on this software vulnerability, here is a technical explanation from Gerben: