Security Updates for Microsoft .NET core and ASP.NET (DoS) (July 2018)

medium Nessus Plugin ID 111071

Synopsis

The Microsoft ASP.NET Core installations on the remote host contain vulnerable packages.

Description

The Microsoft ASP.NET Core installations on the remote host are missing a security update. It is, therefore, affected by the following vulnerability :

- A security feature bypass vulnerability exists when Microsoft .NET Framework components do not correctly validate certificates.
An attacker could present expired certificates when challenged. The security update addresses the vulnerability by ensuring that .NET Framework components correctly validate certificates. (CVE-2018-8356)

Solution

Update ASP.NET Core, remove vulnerable packages and refer to vendor advisory.

See Also

http://www.nessus.org/u?3e10f501

https://github.com/aspnet/Announcements/issues/311

Plugin Details

Severity: Medium

ID: 111071

File Name: smb_nt_ms18_jul_aspdotnet_core_CVE-2018-8356.nasl

Version: 1.8

Type: local

Agent: windows

Published: 7/13/2018

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Low

Base Score: 2.1

Temporal Score: 1.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2018-8356

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:asp.net_core

Required KB Items: installed_sw/ASP .NET Core Windows, SMB/MS_Bulletin_Checks/Possible

Exploit Ease: No known exploits are available

Patch Publication Date: 7/10/2018

Vulnerability Publication Date: 7/10/2018

Reference Information

CVE: CVE-2018-8356

BID: 104664

MSFT: MS18-4339279

MSKB: 4339279