Security bypass in Microsoft .NET Framework



Published: 2017-05-09
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-0248
CWE-ID CWE-295
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Microsoft .NET Framework
Server applications / Frameworks for developing and running applications

Vendor Microsoft

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Security bypass

EUVDB-ID: #VU6475

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2017-0248

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass certain security restrictions on the target system.

The weakness exists due to improper validation of certificates by Microsoft .NET Framework (and .NET Core) components. A remote attacker can force the usage of invalid certificates for certain use by affected component, disregard the Enhanced Key Usage taggings and bypass security restrictions.

Successful exploitation of the vulnerability results in security bypass.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Microsoft .NET Framework: 2.0 - 4.7


CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0248

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###