Multiple vulnerabilities in Microsoft .NET Framework and Core
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2020-0605 CVE-2020-0606 CVE-2020-0646 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #3 is being exploited in the wild. |
| Vulnerable software Subscribe |
Microsoft .NET Framework Server applications / Frameworks for developing and running applications Microsoft .NET Core Server applications / Frameworks for developing and running applications |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
Updated: 25.03.2020
Added exploit to vulnerability #3, updated CVSS score.
1) Input validation error
EUVDB-ID: #VU24269
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-0605
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input when the software fails to check the source markup of a file. A remote attacker can trick a victim to open s specially crafted file and execute arbitrary code in the context of the current user.
MitigationInstall update from vendor's website.
Vulnerable software versionsMicrosoft .NET Framework: 3.0 - 4.8
Microsoft .NET Core: 3.0 - 3.1
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0605
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU24270
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-0606
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input when the software fails to check the source markup of a file. A remote attacker can trick a victim to open s specially crafted file and execute arbitrary code in the context of the current user.
MitigationInstall update from vendor's website.
Vulnerable software versionsMicrosoft .NET Framework: 3.0 - 4.8
Microsoft .NET Core: 3.0 - 3.1
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0606
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU24271
Risk: High
CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2020-0646
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input in the Microsoft .NET Framework. A remote attacker can pass specific input to an application utilizing susceptible .Net methods and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft .NET Framework: 3.0 - 4.8
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0646
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
