Security Updates for Microsoft .NET Framework (January 2024)

critical Nessus Plugin ID 187901

Synopsis

The Microsoft .NET Framework installation on the remote host is missing a security update.

Description

The Microsoft .NET Framework installation on the remote host is missing a security update. It is, therefore, affected by multiple vulnerabilities, as follows:

- Denial of service vulnerability in Microsoft .NET Framework. (CVE-2023-36042, CVE-2024-21312)

- Security feature bypass in System.Data.SqlClient SQL data provider. An attacker can perform a man-in-the-middle attack on the connection between the client and server in order to read and modify the TLS traffic. (CVE-2024-0056)

- Security feature bypass in applications that use the X.509 chain building APIs. When processing an untrusted certificate with malformed signatures, the framework returns an incorrect reason code.
Applications which make use of this reason code may treat this scenario as a successful chain build, potentially bypassing the application's typical authentication logic. (CVE-2024-0057)

Solution

Microsoft has released security updates for Microsoft .NET Framework.

See Also

http://www.nessus.org/u?a8f77e6e

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36042

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0056

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21312

https://support.microsoft.com/en-us/help/5033898

https://support.microsoft.com/en-us/help/5033899

https://support.microsoft.com/en-us/help/5033904

https://support.microsoft.com/en-us/help/5033907

https://support.microsoft.com/en-us/help/5033909

https://support.microsoft.com/en-us/help/5033910

https://support.microsoft.com/en-us/help/5033911

https://support.microsoft.com/en-us/help/5033912

https://support.microsoft.com/en-us/help/5033914

https://support.microsoft.com/en-us/help/5033916

https://support.microsoft.com/en-us/help/5033917

https://support.microsoft.com/en-us/help/5033918

https://support.microsoft.com/en-us/help/5033919

https://support.microsoft.com/en-us/help/5033920

https://support.microsoft.com/en-us/help/5033922

https://support.microsoft.com/en-us/help/5033945

https://support.microsoft.com/en-us/help/5033946

https://support.microsoft.com/en-us/help/5033947

https://support.microsoft.com/en-us/help/5033948

Plugin Details

Severity: Critical

ID: 187901

File Name: smb_nt_ms24_jan_dotnet.nasl

Version: 1.4

Type: local

Agent: windows

Published: 1/10/2024

Updated: 3/29/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.1

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-0057

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:.net_framework

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Ease: No known exploits are available

Patch Publication Date: 1/9/2024

Vulnerability Publication Date: 1/9/2024

Reference Information

CVE: CVE-2023-36042, CVE-2024-0056, CVE-2024-0057, CVE-2024-21312

IAVA: 2024-A-0011-S

MSFT: MS24-5033898, MS24-5033899, MS24-5033904, MS24-5033907, MS24-5033909, MS24-5033910, MS24-5033911, MS24-5033912, MS24-5033914, MS24-5033916, MS24-5033917, MS24-5033918, MS24-5033919, MS24-5033920, MS24-5033922, MS24-5033945, MS24-5033946, MS24-5033947, MS24-5033948

MSKB: 5033898, 5033899, 5033904, 5033907, 5033909, 5033910, 5033911, 5033912, 5033914, 5033916, 5033917, 5033918, 5033919, 5033920, 5033922, 5033945, 5033946, 5033947, 5033948