Security Updates for Microsoft .NET core and ASP.NET (DoS) (July 2018)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(111071);
  script_version("1.8");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2018-8356");
  script_bugtraq_id(104664);
  script_xref(name:"MSKB", value:"4339279");
  script_xref(name:"MSFT", value:"MS18-4339279");

  script_name(english:"Security Updates for Microsoft .NET core and ASP.NET (DoS) (July 2018)");

  script_set_attribute(attribute:"synopsis", value:
"The Microsoft ASP.NET Core installations on the remote host contain vulnerable packages.");
  script_set_attribute(attribute:"description", value:
"The Microsoft ASP.NET Core installations on the remote
host are missing a security update. It is, therefore,
affected by the following vulnerability :

  - A security feature bypass vulnerability exists when Microsoft 
  .NET Framework components do not correctly validate certificates.
  An attacker could present expired certificates when challenged. The 
  security update addresses the vulnerability by ensuring that .NET 
  Framework components correctly validate certificates. (CVE-2018-8356)");
  # https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8356
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3e10f501");
  script_set_attribute(attribute:"see_also", value:"https://github.com/aspnet/Announcements/issues/311");
  script_set_attribute(attribute:"solution", value:
"Update ASP.NET Core, remove vulnerable packages and refer to vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8356");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/07/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:asp.net_core");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("microsoft_asp_dotnet_core_win.nbin", "ms_bulletin_checks_possible.nasl");
  script_require_keys("installed_sw/ASP .NET Core Windows", "SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("global_settings.inc");
include("audit.inc");
include("install_func.inc");
include("misc_func.inc");
include("smb_func.inc");
include("vcf.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

appname = 'ASP .NET Core Windows';
package_dat = {
  'Microsoft.AspNetCore.All':{
    'constraints':[
      { "min_version" : "2.0.0", "fixed_version" : "2.0.13103.0" }, # 2.0.9
      { "min_version" : "2.1.0", "fixed_version" : "2.1.2" }
    ],
    'instances':make_list()
  },
  'Microsoft.AspNetCore.App':{
    'constraints':[
      { "min_version" : "2.1.0", "fixed_version" : "2.1.2" }
    ],
    'instances':make_list()
  },
  'Microsoft.AspNetCore.Server.Kestrel.Core':{
    'constraints':[
      { "min_version" : "2.0.0", "fixed_version" : "2.0.4" },
      { "min_version" : "2.1.0", "fixed_version" : "2.1.2" }
    ],
    'instances':make_list()
  }
};

port = kb_smb_transport();

# Only need one install - packages for all installs will be enumerated
install = get_single_install(app_name:appname);
version = install['version'];
path = install['path'];

# Parse extras
foreach package (keys(package_dat))
{
  foreach instance (split(install[package], sep:';', keep:false))
  {
    next = max_index(package_dat[package]['instances']);
    package_dat[package]['instances'][next] = split(instance, sep:'?', keep:false);
  }
}

report =
  '\n  Path              : ' + path +
  '\n  Installed version : ' + version +
  '\n';

vuln = false;
foreach package (keys(package_dat))
{
  foreach instance (package_dat[package]['instances'])
  {
    out = vcf::check_version(
      version:vcf::parse_version(instance[0]),
      constraints:package_dat[package]['constraints']
    );

    if (!vcf::is_error(out) && !isnull(out))
    {
      fixed_version = out['fixed_version'];
      if (fixed_version == "2.0.13103.0")
        fixed_version = "2.0.9 (2.0.13103.0)";

      vuln = true;
      report +=
        '\n  Package           : ' + package +
        '\n  Path              : ' + instance[1] +
        '\n  Installed version : ' + instance[0] +
        '\n  Fixed version     : ' + fixed_version +
        '\n';
    }
  }
}

if (vuln)
  security_report_v4(port:port, severity:SECURITY_NOTE, extra:report);
else
  audit(AUDIT_INST_VER_NOT_VULN, appname);