CVE-2018-14878 : Security Advisory and Response

JetBrains dotPeek and ReSharper Ultimate versions prior to 2018.2 and 2018.1.4, respectively, are vulnerable to code execution through decompiling .NET objects.

Understanding CVE-2018-14878

Attackers can exploit a Deserialization of Untrusted Data vulnerability in JetBrains dotPeek and ReSharper Ultimate to execute malicious code.

What is CVE-2018-14878?

This CVE refers to the ability of attackers to execute code by decompiling compiled .NET objects like DLL or EXE files using a specific file due to a Deserialization of Untrusted Data vulnerability.

The Impact of CVE-2018-14878

The vulnerability allows threat actors to execute arbitrary code by leveraging the decompilation process of .NET objects, potentially leading to unauthorized access or system compromise.

Technical Details of CVE-2018-14878

JetBrains dotPeek and ReSharper Ultimate versions before 2018.2 and 2018.1.4 are susceptible to this security flaw.

Vulnerability Description

The vulnerability arises from the improper handling of deserialization of untrusted data, enabling attackers to execute malicious code during the decompilation of .NET objects.

Affected Systems and Versions

JetBrains dotPeek versions prior to 2018.2
ReSharper Ultimate versions before 2018.1.4

Exploitation Mechanism

Attackers exploit the vulnerability by using a specific file to decompile compiled .NET objects, allowing them to execute arbitrary code.

Mitigation and Prevention

To address CVE-2018-14878, follow these steps:

Immediate Steps to Take

Update JetBrains dotPeek to version 2018.2 or later
Update ReSharper Ultimate to version 2018.1.4 or newer
Avoid decompiling untrusted .NET objects

Long-Term Security Practices

Regularly update software and security patches
Implement code reviews and security testing practices

Patching and Updates

Apply the latest patches and updates provided by JetBrains for dotPeek and ReSharper Ultimate to mitigate the vulnerability.