#VU13769 Security restrictions bypass in Microsoft .NET Framework and ASP.NET Core MVC - CVE-2018-8356

Cybersecurity Help s.r.o.

Published: 2018-07-10 | Updated: 2018-07-10

Vulnerability identifier: #VU13769

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-8356

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Microsoft .NET Framework
Server applications / Frameworks for developing and running applications
ASP.NET Core MVC
Universal components / Libraries / Software for developers

Vendor: Microsoft

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The vulnerability exists due to improper validation of certificates by .NET Framework components. A remote unauthenticated attacker can present expired certificates when challenged and bypass security restrictions to conduct further attacks.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Microsoft .NET Framework: 3.0, 3.5 - 3.5.1, 4.5.2, 4.6 - 4.6.2, 4.7 - 4.7.2

ASP.NET Core MVC: 1.0.0 - 2.0

External links
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8356

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Microsoft .NET Framework and ASP.NET