Lucene search

K
nessusThis script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS20_JUL_DOTNET_CORE.NASL
HistoryJul 14, 2020 - 12:00 a.m.

Security Update for .NET Core (July 2020)

2020-07-1400:00:00
This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
77

The Microsoft .NET Core installation on the remote host is version 2.1.x < 2.1.20 or 3.1.x < 3.1.6. It is, therefore, affected by a remote code execution (RCE) vulnerability due to failing to check the source markup of XML file input. An unauthenticated, remote attacker can exploit this, by issuing specially crafted requests to applications that process certain types of XML, to execute arbitrary code in the context of the current user.

#
# (C) Tenable Network Security, Inc.
#

# The descriptive text and package checks in this plugin were
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#

include('compat.inc');

if (description)
{
  script_id(138465);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");

  script_cve_id("CVE-2020-1147");
  script_xref(name:"IAVA", value:"2020-A-0304-S");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");

  script_name(english:"Security Update for .NET Core (July 2020)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a .NET Core remote code execution (RCE) vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Microsoft .NET Core installation on the remote host is version 2.1.x < 2.1.20 or 3.1.x < 3.1.6. It is, therefore,
affected by a remote code execution (RCE) vulnerability due to failing to check the source markup of XML file input. An
unauthenticated, remote attacker can exploit this, by issuing specially crafted requests to applications that process
certain types of XML, to execute arbitrary code in the context of the current user.");
  # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?43ad1c2a");
  script_set_attribute(attribute:"see_also", value:"https://github.com/dotnet/announcements/issues/159");
  script_set_attribute(attribute:"solution", value:
"Refer to vendor documentation.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1147");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SharePoint DataSet / DataTable Deserialization');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/07/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/14");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_core");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("microsoft_dotnet_core_win.nbin");
  script_require_keys("installed_sw/.NET Core Windows");

  exit(0);
}

include('vcf.inc');

app = '.NET Core Windows';
app_info = vcf::get_app_info(app:app, win_local:TRUE);

constraints = [
  { 'min_version' : '2.1.0', 'fixed_version' : '2.1.20' },
  { 'min_version' : '3.1.0', 'fixed_version' : '3.1.6'  }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);


VendorProductVersion
microsoft.net_core