SB2018010909 - Multiple vulnerabilities in Microsoft .NET Framework
Published: January 9, 2018
Security Bulletin ID
SB2018010909
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Security restrictions bypass (CVE-ID: CVE-2018-0786)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to improper validation of certificates by Microsoft .NET Framework (and .NET Core) components. A remote attacker can supply an invalid certificate and disregard the Enhanced Key Usage taggings.
2) Improper Restriction of XML External Entity Reference (CVE-ID: CVE-2018-0764)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to improper processing of XML documents by .NET, and .NET core. A remote attacker can issue specially crafted requests to a .NET(or .NET core) application and cause the application to crash.
Remediation
Install update from vendor's website.