-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Microsoft Security Advisory CVE-2023-21538 | .NET Denial of Service Vulnerability #80449
Comments
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
This comment was marked as resolved.
This comment was marked as resolved.
Hello @rbhanda, I have always felt rather helpless when receiving these announcements because they essentially say "there's a problem, upgrade to fix" but there's little detail about the actual vulnerability itself. Specifically, since .NET is open source, how would one find the code that was vulnerable and see how it was fixed (perhaps via a link to the relevant commits)? |
@ericmutta you can see the history of the |
Feels like this only impacts ASP.NET Core. Would a background service be impacted if it doesn't host any HTTP endpoint? |
What about .NET Core version 3.1 and .NET Core version 5 and we cannot upgrade to .NET 6 immediately. Is there patched versions for .NET 3.x.x and .NET 5.x.x? |
.netcore 3.x and .net 5.x are out of support. |
@lg2de As far as I understand they (5.x.x and 3.x.x) are also vulnerable, right? |
I expect the old version are vulnerable too. |
Tagging subscribers to this area: @dotnet/area-meta Issue DetailsMicrosoft Security Advisory CVE-2023-21538: .NET Denial of Service VulnerabilityExecutive summaryMicrosoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A denial of service vulnerability exists in .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends an invalid request to an exposed endpoint. AnnouncementAnnouncement for this issue can be found at dotnet/announcements#244 Mitigation factorsMicrosoft has not identified any mitigating factors for this vulnerability. Affected software
If your application uses the following package versions, ensure you update to the latest version of .NET. .NET 6
Advisory FAQHow do I know if I am affected?If you have a runtime or SDK with a version listed, or an affected package listed in affected software, you're exposed to the vulnerability. How do I fix the issue?
.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates. Once you have installed the updated runtime or SDK, restart your apps for the update to take effect. Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed. Other InformationReporting Security IssuesIf you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty. SupportYou can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue. DisclaimerThe information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. AcknowledgementsJohan Gorter with AFAS Software External LinksRevisionsV1.0 (January 10, 2023): Advisory published. Version 1.0 Last Updated 2023-01-10
|
@ericmutta compare 6.0.13 to 6.012 in the runtime repo, it's fairly easy to spot which commit that fixes the issue. 😉 |
@niklasfp thanks for the link to the comparison...though for the life of me, I am having trouble mapping this vague description:
To one of these commits (which have equally vague titles): Scrolling through the entire list of changed files didn't help either...where is the code that could cause the stack to overflow? How would that translate into a denial of service? What type of request is being sent here? In what way is it invalid? I realise that if steps were taken to make answers to such questions easy to get, it may mean that malicious actors would be able to take advantage of unpatched code out there...but the whole experience feels less than ideal as it stands. Imagine going to the doctor for an operation, then when you are done, all they say is you were sick, but we fixed you now, just go home. Sure, you go home happy to have been fixed, but you can't help that nagging feeling of not knowing what the hell they did when they cut you open. That's how these CVE announcements feel right now...and while I am happy that .NET security issues get fixed, I hope we as a community can figure out a way to make the process more transparent and a learning experience (after all, if the smart people working on .NET can create insecure code, I would very much love to learn from their experiences in order to improve my own .NET code). |
@ericmutta here is the exact commit: 26f99bc |
@teo-tsirpanis you just saved the day! Thanks for the link to the exact commit which has this very informative description:
If future CVE announcements contained links to the relevant commits just like the one you provided, that would be fantastic all around 🚀 PS: to the .NET team and contributors who work hard on this framework (including fixing security issues) and then give it away to us for free - you are all awesome. We appreciate your hard work 🙏 |
Microsoft Security Advisory CVE-2023-21538: .NET Denial of Service Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A denial of service vulnerability exists in .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends an invalid request to an exposed endpoint.
Announcement
Announcement for this issue can be found at dotnet/announcements#244
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected software
If your application uses the following package versions, ensure you update to the latest version of .NET.
.NET 6
Advisory FAQ
How do I know if I am affected?
If you have a runtime or SDK with a version listed, or an affected package listed in affected software, you're exposed to the vulnerability.
How do I fix the issue?
dotnet --info
command. You will see output like the following;.NET 6.0 and and .NET 7.0 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.
Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.
Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET 6.0 or .NET 7.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Acknowledgements
Johan Gorter with AFAS Software
External Links
CVE-2023-21538
Revisions
V1.0 (January 10, 2023): Advisory published.
Version 1.0
Last Updated 2023-01-10
The text was updated successfully, but these errors were encountered: