|CERT-In Vulnerability Note
Multiple Vulnerabilities in Microsoft ASP.NET Framework
Original Issue Date:November 21, 2017
Severity Rating: MEDIUM
- Microsoft ASP.NET Core 1.0
- Microsoft ASP.NET Core 1.1
- Microsoft ASP.NET Core 2.0
Multiple vulnerabilities have been reported in Microsoft ASP.NET, which could be exploited by an unauthenticated remote attacker to cause a denial of service, Information Disclosure, Privilege escalation on the targeted system .
1. Denial of Service Vulnerability
A vulnerability exists in Microsoft ASP.NET, due to the affected software improperly handles web requests. A remote attacker could exploit this vulnerability by submitting malicious web requests to the targeted system.
Successful exploitation of this vulnerability could allow the attacker to cause the affected software to stop responding, resulting in denial of service ( DoS) condition.
2. Information Disclosure Vulnerability
A vulnerability exists in Microsoft ASP.NET Core due to insufficient enforcement of cross-origin resource sharing (CORS) configurations by the affected software. A remote attacker could exploit this vulnerability by persuading a user of a targeted system to access a link that submits malicious input to the affected software.
Successful exploitation of this vulnerability allows the attacker to access sensitive information on the targeted system, which could be used to conduct further attacks.
3. URL Redirection Vulnerability
This vulnerability exists in Microsoft ASP.NET, due to insufficient validation of user-supplied input performed by the affected software when handling open redirect requests. An attacker could exploit this vulnerability by persuading a user to access a link that redirects the user to a malicious website that is designed to harvest the users login session information.
Successful exploitation could allow the attacker to access sensitive information such as cookies or authentication tokens, which could be used to conduct additional attacks.
Apply appropriate patch as mentioned in Microsoft Security Guidance
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003