|CERT-In Vulnerability Note
Multiple Vulnerabilities in Microsoft ASP.NET Framework
Original Issue Date:January 11, 2018
Severity Rating: HIGH
- Microsoft ASP.NET Core 1.0
- Microsoft ASP.NET Core 1.1
- Microsoft ASP.NET Core 2.0
Multiple vulnerabilities have been reported in Microsoft ASP.NET, which could be exploited by a remote attacker to gain elevated privileges or conduct a cross-site request forgery (CSRF) attack.
1. Elevation of Privilege Vulnerability
A vulnerability exists in Microsoft ASP.NET Core due to improper sanitization of web requests performed by the affected software . An attacker could exploit this vulnerability by sending a specially crafted email, containing a malicious link, to a user. Alternatively, an attacker could use a chat client to social engineer a user into clicking the malicious link.
Successful exploitation of this vulnerability allows the attacker to obtain elevated privileges and perform injection attacks and run script in the security context of the logged-on user.
2. Cross Site Request Forgery Vulnerability
A vulnerability exists in Microsoft ASP.NET, due to the use of Core vulnerable project templates when a web application is created with the affected software. An attacker could exploit this vulnerability by changing the recovery codes associated with the victims user account without user¿s consent.
Successful exploitation of this vulnerability could allow the attacker to modify the users two-factor authentication (2FA) devices recovery codes without the users knowledge which could lead to a denial of service (DoS) condition.
Apply appropriate patch as mentioned in Microsoft Security Guidance
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003