Remove RemotingAppender #154
Description
RemotingAppender should be removed because .net remoting is no longer state of the art and inherently insecure.
.net core no longer supports .net remoting.
For applications that continue to use the removed RemotingAppender and thus the inherently insecure .NET Remoting (see Teaching the Old .NET Remoting New Exploitation Tricks), the following mitigation measures could be helpful.
Restrict Access to .NET Remoting Service
.NET Remoting provides some server channel properties that can help to enhance security:
- add authentication and authorization:
secure(requires Windows authentication, though 'Anonymous Logon' or any other authenticated user also works)authorizationModule(requires an additional class implementingIAuthorizeRemotingConnectionas authorization authority)
- bind the TCP server to specific interfaces to reduce exposure:
bindTo(specific IP) /rejectRemoteRequests(loopback only)
This can be done either programmatically or in the configuration file, for example:
<system.runtime.remoting>
<application name="Log4netRemotingServer">
<!-- We need to define the remoting channels on which we will publish
the remote logging sink. -->
<channels>
- <channel displayName="Server Channel" ref="tcp server" port="8085" />
+ <channel displayName="Server Channel" ref="tcp server" port="8085"
+ secure="true"
+ authorizationModule="Example.MyAuthorizeRemotingConnection"
+ rejectRemoteRequests="true" />
</channels>
</application>
</system.runtime.remoting>Additional attributes in <channel> are passed to the IChannel constructor (here TcpServerChannel) as properties. This also works in the application's configuration file (e.g., RemotingServer.exe.config) without requiring a rebuild of the application.