Microsoft Security Advisory CVE-2018-8292: .NET Core Information Disclosure Vulnerability #27587
Labels
area-System.Net.Http
documentation
Documentation bug or enhancement, does not impact product or test code
Security
Milestone
Microsoft Security Advisory CVE-2018-8292: .NET Core Information Disclosure Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a security feature bypass vulnerability that exists when .NET Core when HTTP authentication information is inadvertently exposed in an outbound request that encounters an HTTP redirect. An attacker who successfully exploited this vulnerability could use the information to further compromise the web application.
The update addresses the vulnerability by correcting how .NET Core applications handles HTTP redirects.
System administrators running .NET Core 1.0 or .NET Core 1.1 applications must update their .NET Core runtimes to versions 1.0.13 and 1.1.10 then restart their applications. If installed applications target .NET Core 2.0, the applications must be migrated to 2.1 or newer and redeployed.
Developers must update their .NET Core SDK to versions 1.1.11 and migrate any .NET Core 2.0 or ASP.NET Core 2.0 applications to 2.1 then redeploy.
Mitigation factors
None
Affected software
Any .NET Core application that runs on a .NET Core 1.0.x runtime with a version number of 1.0.12 or lower, or a .NET Core application that runs on a .NET Core 1.1.x runtime with a version number of 1.1.9 or lower, or a .NET Core application that runs on a .NET Core 2.0.x runtime.
Additionally package authors should check their dependencies to ensure they aren't depending on a vulnerable version of the following package:
Advisory FAQ
How do I know if I am affected?
Any .NET Core application that runs on a .NET Core 1.0.x runtime with a version number of 1.0.12 or lower, or a .NET Core application that runs on a .NET Core 1.1.x runtime with a version number of 1.1.9 or lower, or a .NET Core application that runs on a .NET Core 2.0.x runtime.
To check the currently installed runtimes and SDKs with version 2.1 or later of .NET Core, open a command prompt and run the
dotnet --info
command. You should see an output similar to the following:If you don't see a runtime entry for 1.0.13 or 1.1.10, any .NET Core 1.x applications run on that computer are vulnerable.
If you don't have a 2.1 version of the runtime or SDK installed, you can produce the complete list of runtimes by performing a directory listing in the install root directories. The default root directories are listed in the following table:
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\
/usr/local/share/dotnet/shared/Microsoft.NETCore.App/
/usr/share/dotnet/shared/Microsoft.NETCore.App/
Each runtime version is installed in its own directory, where the directory name is the version number. If you don't have a directory for 1.0.13, 1.1.10 then any application targeting versions 1.0 or 1.1 are vulnerable.
Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
How do I fix the vulnerability?
System administrators are advised to update their .NET Core runtimes to versions 1.0.13, 1.1.10 and install the latest 2.1 runtime, ensuring that any 2.0 applications are migrated to 2.1 as soon as possible.
Developers are advised to update their .NET Core SDK to versions 1.1.11 and migrate any .NET Core or ASP.NET Core 2.0 applications to 2.1 and redeploy.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET Core, please email details to secure@microsoft.com. Reports may qualify for the .NET Core Bug Bounty. Details of the .NET Core Bug Bounty including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET Core or ASP.NET Core organizations. These are located at https://github.com/dotnet/ and https://github.com/aspnet/, respectively. The Announcements repo for each product (https://github.com/dotnet/Announcements and https://github.com/aspnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
CVE-2018-8292
Revisions
V1.0 (October 10, 2018): Advisory published.
Version 1.0
Last Updated 2018-10-10
The text was updated successfully, but these errors were encountered: