Critical remote code execution flaw patched in Veeam backup servers

Why black lists are bad

Application developers have gotten in the habit of mitigating deserialization risks by creating blacklists of classes that could be dangerous when deserialized, and as watchTowr explains, this was also Veeam’s approach when addressing CVE-2024-40711. However, history has shown that blacklists are rarely complete.

“Blacklists (also known as block-lists or deny-lists) are based on a very optimistic (and provably flawed) idea that we can just make a list of all the bad classes, and we just keep a record of everything bad that can be done and update our list as and when new bad is introduced,” the researchers wrote.

“Luckily, as an industry, we actually already have a list of all the bad classes in the world, and so this is flawless logic. There are a couple of bitter truths though: This is a lie. While we can agree that nowadays it’s extremely hard to find new deserialization gadgets in programming languages and frameworks (although still possible), products have their own codebase and can contain abusable classes that can be misused during deserialization,” the researchers added. “This is before we even get on to 3rd party libraries.”