Lucene search
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS23_AUG_VISUAL_STUDIO.NASLHistoryAug 10, 2023 - 12:00 a.m.
Security Updates for Microsoft Visual Studio Products (August 2023)
2023-08-1000:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
21
microsoft visual studio
security updates
august 2023
.net core
remote code execution
denial of service
asp.net core signalr
information disclosure
cve-2023
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.008 Low
EPSS
Percentile
81.1%
The Microsoft Visual Studio Products are missing security updates. It is, therefore, affected by multiple vulnerabilities:
-
.NET Core and Visual Studio Denial of Service Vulnerability. (CVE-2023-38178)
-
.NET and Visual Studio Remote Code Execution Vulnerability. (CVE-2023-35390)
-
.NET and Visual Studio Denial of Service Vulnerability. (CVE-2023-38180)
-
ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability. (CVE-2023-35391)
Note that Nessus has not tested for this issue but has instead relied only on the applicationβs self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
##
include('compat.inc');
if (description)
{
script_id(179645);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/15");
script_cve_id(
"CVE-2023-35390",
"CVE-2023-35391",
"CVE-2023-38178",
"CVE-2023-38180"
);
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2023/08/30");
script_xref(name:"IAVA", value:"2023-A-0415-S");
script_xref(name:"IAVA", value:"2023-A-0404-S");
script_xref(name:"IAVA", value:"2023-A-0406-S");
script_name(english:"Security Updates for Microsoft Visual Studio Products (August 2023)");
script_set_attribute(attribute:"synopsis", value:
"The Microsoft Visual Studio Products are affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The Microsoft Visual Studio Products are missing security updates. It is, therefore, affected by multiple
vulnerabilities:
- .NET Core and Visual Studio Denial of Service Vulnerability. (CVE-2023-38178)
- .NET and Visual Studio Remote Code Execution Vulnerability. (CVE-2023-35390)
- .NET and Visual Studio Denial of Service Vulnerability. (CVE-2023-38180)
- ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability. (CVE-2023-35391)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://learn.microsoft.com/en-us/visualstudio/releases/2022/release-notes#1770--visual-studio-2022-version-177
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9a7fd065");
# https://learn.microsoft.com/en-us/visualstudio/releases/2022/release-notes-v17.6#17.6.6
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?03c492a3");
# https://learn.microsoft.com/en-us/visualstudio/releases/2022/release-notes-v17.4#17.4.10
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ee0cd3a3");
# https://learn.microsoft.com/en-us/visualstudio/releases/2022/release-notes-v17.2#17.2.18
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f36add8d");
script_set_attribute(attribute:"solution", value:
"Microsoft has released the following security updates to address this issue:
- Update 17.2.18 for Visual Studio 2022
- Update 17.4.10 for Visual Studio 2022
- Update 17.6.6 for Visual Studio 2022
- Update 17.7 for Visual Studio 2022");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-35391");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-35390");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/08/08");
script_set_attribute(attribute:"patch_publication_date", value:"2023/08/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/08/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_studio");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ms_bulletin_checks_possible.nasl", "microsoft_visual_studio_installed.nbin");
script_require_keys("SMB/MS_Bulletin_Checks/Possible", "installed_sw/Microsoft Visual Studio", "SMB/Registry/Enumerated");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include('vcf_extras_visual_studio.inc');
get_kb_item_or_exit('SMB/Registry/Enumerated');
var app_info = vcf::visual_studio::get_app_info();
var constraints = [
{'product': '2022', 'min_version': '17.2', 'fixed_version': '17.2.33927.290', 'fixed_display': '17.2.33927.290 (17.2.18)'},
{'product': '2022', 'min_version': '17.4', 'fixed_version': '17.4.33927.135', 'fixed_display': '17.4.33927.135 (17.4.10)'},
{'product': '2022', 'min_version': '17.6', 'fixed_version': '17.6.33927.249', 'fixed_display': '17.6.33927.249 (17.6.6)'},
{'product': '2022', 'min_version': '17.7', 'fixed_version': '17.7.34003.232', 'fixed_display': '17.7.34003.232 (17.7.0)'}
];
vcf::visual_studio::check_version_and_report(
app_info: app_info,
constraints: constraints,
severity: SECURITY_HOLE
);| Vendor | Product | Version | CPE |
|---|---|---|---|
| microsoft | visual_studio | cpe:/a:microsoft:visual_studio |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35390
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35391
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38178
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38180
www.nessus.org/u?03c492a3
www.nessus.org/u?9a7fd065
www.nessus.org/u?ee0cd3a3
www.nessus.org/u?f36add8d
Related
openvas
openvas
.NET Core Multiple Vulnerabilities (KB5029688, KB5029689) - Windows
2023-08-09 00:00:00
Ubuntu: Security Advisory (USN-6278-1)
2023-08-09 00:00:00
Ubuntu: Security Advisory (USN-6278-2)
2023-08-11 00:00:00
mskb
mskb
.NET 6.0 Update - August 8, 2023 (KB5029688)
2023-08-08 07:00:00
.NET 7.0 Update - August 8, 2023 (KB5029689)
2023-08-08 07:00:00
nessus
nessus
Security Update for Microsoft .NET Core (August 2023)
2023-08-08 00:00:00
Security Update for .NET Core SDK (August 2023)
2023-09-05 00:00:00
Ubuntu 23.04 : .NET vulnerabilities (USN-6278-1)
2023-08-09 00:00:00
osv
osv
dotnet6, dotnet7 vulnerabilities
2023-08-10 19:34:11
Important: .NET 6.0 security, bug fix, and enhancement update
2023-10-06 23:10:12
Important: .NET 7.0 security, bug fix, and enhancement update
2023-08-14 00:00:00
ubuntu
ubuntu
.NET vulnerabilities
2023-08-10 00:00:00
.NET vulnerabilities
2023-08-08 00:00:00
oraclelinux
oraclelinux
.NET 7.0 security, bug fix, and enhancement update
2023-08-15 00:00:00
.NET 7.0 security, bug fix, and enhancement update
2023-08-16 00:00:00
.NET 6.0 security, bug fix, and enhancement update
2023-08-15 00:00:00
redhat
redhat
(RHSA-2023:4639) Important: .NET 6.0 security update
2023-08-14 13:45:39
fedora
fedora
[SECURITY] Fedora 37 Update: dotnet6.0-6.0.121-1.fc37
2023-08-20 00:45:06
[SECURITY] Fedora 37 Update: dotnet7.0-7.0.110-1.fc37
2023-08-20 00:45:07
[SECURITY] Fedora 38 Update: dotnet6.0-6.0.121-1.fc38
2023-08-20 00:49:10
almalinux
almalinux
Important: .NET 6.0 security, bug fix, and enhancement update
2023-08-14 00:00:00
Important: .NET 6.0 security, bug fix, and enhancement update
2023-08-14 00:00:00
Important: .NET 7.0 security, bug fix, and enhancement update
2023-08-14 00:00:00
rocky
rocky
.NET 7.0 security, bug fix, and enhancement update
2023-10-06 23:10:12
.NET 6.0 security, bug fix, and enhancement update
2023-10-06 23:10:12
ibm
ibm
kaspersky
kaspersky
KLA51717 Multiple vulnerabilities in Microsoft Developer Tools
2023-08-08 00:00:00
ubuntucve
ubuntucve
nvd
nvd
cve
cve
alpinelinux
alpinelinux
veracode
veracode
Denial Of Service (DoS)
2023-08-09 19:30:29
Information Disclosure
2023-08-11 12:59:03
Remote Code Execution (RCE)
2023-08-10 02:58:02
cvelist
cvelist
github
github
.NET Denial of Service Vulnerability
2023-08-09 12:56:43
.NET Information Disclosure Vulnerability
2023-08-11 20:54:45
.NET Remote Code Execution Vulnerability
2023-08-09 13:15:38
redhatcve
redhatcve
prion
prion
Information disclosure
2023-08-08 19:15:00
Denial of service
2023-08-08 19:15:00
Remote code execution
2023-08-08 18:15:00
mscve
mscve
.NET and Visual Studio Denial of Service Vulnerability
2023-08-08 07:00:00
ASP.NET Core SignalR and Visual Studio Information Disclosure Vulnerability
2023-08-08 07:00:00
.NET and Visual Studio Remote Code Execution Vulnerability
2023-08-08 07:00:00
cisa_kev
cisa_kev
Microsoft .NET Core and Visual Studio Denial-of-Service Vulnerability
2023-08-09 00:00:00
thn
thn
Microsoft Releases Patches for 74 New Vulnerabilities in August Update
2023-08-09 04:26:00
vulnrichment
vulnrichment
CVE-2023-35390 .NET and Visual Studio Remote Code Execution Vulnerability
2023-08-08 17:08:54
CVE-2023-38178 .NET Core and Visual Studio Denial of Service Vulnerability
2023-08-08 17:08:57
attackerkb
attackerkb
CVE-2023-38180
2023-08-08 00:00:00
krebs
krebs
Microsoft Patch Tuesday, August 2023 Edition
2023-08-09 02:22:57
malwarebytes
malwarebytes
August Patch Tuesday stops actively exploited attack chain and more
2023-08-10 01:00:00
ics
ics
Siemens ST7 ScadaConnect
2024-06-13 12:00:00
avleonov
avleonov
qualysblog
qualysblog
Microsoft and Adobe Patch Tuesday, August 2023 Security Update Review
2023-08-08 20:35:59
rapid7blog
rapid7blog
Patch Tuesday - August 2023
2023-08-08 21:11:35
talosblog
talosblog
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
0.008 Low
EPSS
Percentile
81.1%
Related for SMB_NT_MS23_AUG_VISUAL_STUDIO.NASL