Multiple vulnerabilities in Microsoft .NET Framework



Published: 2019-02-13
Risk High
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2019-0657
CVE-2019-0613
CWE-ID CWE-451
CWE-119
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Microsoft .NET Framework
Server applications / Frameworks for developing and running applications

ASP.NET Core MVC
Universal components / Libraries / Software for developers

Visual Studio
Universal components / Libraries / Software for developers

Vendor Microsoft

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Spoofing attack

EUVDB-ID: #VU17638

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-0657

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: No

Description

The vulnerability allows a remote attacker to conduct spoofing attack.

The vulnerability exists in thev .Net Framework API's and Visual Studio in the way they parse URL's. A remote attacker can provide a URL string to an application that attempts to verify that the URL belongs to a specific hostname or to a subdomain of that hostname, bypass security logic intended to ensure that a user-provided URL belonged to a specific hostname or a subdomain of that hostname to cause privileged communication to be made to an untrusted service as if it was a trusted service.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft .NET Framework: 2.0 - 4.7.2

ASP.NET Core MVC: 1.0.0 - 2.2

Visual Studio: 15.0 26228.04 - 15.9

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0657


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory corruption

EUVDB-ID: #VU17640

Risk: High

CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-0613

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in .NET Framework and Visual Studio software when the software fails to check the source markup of a file. A remote attacker can create a specially crafted document, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft .NET Framework: 2.0 - 4.7.2

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0613


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###