Lucene search
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS23_NOV_DOTNET_CORE_CVE-2023-36558.NASLHistoryNov 16, 2023 - 12:00 a.m.
Security Update for Microsoft .NET Core (November 2023) (CVE-2023-36558)
2023-11-1600:00:00
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
58
windows
.net core
security feature bypass
7.6 High
AI Score
Confidence
Low
The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by security feature bypass vulnerability as referenced in the vendor advisory.
- ASP.NET Core - Security Feature Bypass Vulnerability (CVE-2023-36558)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(185886);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/12");
script_cve_id("CVE-2023-36558");
script_xref(name:"IAVA", value:"2023-A-0615-S");
script_name(english:"Security Update for Microsoft .NET Core (November 2023) (CVE-2023-36558)");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a .NET Core vulnerability");
script_set_attribute(attribute:"description", value:
"The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by
security feature bypass vulnerability as referenced in the vendor advisory.
- ASP.NET Core - Security Feature Bypass Vulnerability (CVE-2023-36558)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://dotnet.microsoft.com/download/dotnet/6.0");
script_set_attribute(attribute:"see_also", value:"https://dotnet.microsoft.com/en-us/download/dotnet/7.0");
script_set_attribute(attribute:"see_also", value:"https://dotnet.microsoft.com/en-us/download/dotnet/8.0");
script_set_attribute(attribute:"see_also", value:"https://github.com/dotnet/announcements/issues/288");
script_set_attribute(attribute:"see_also", value:"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36558");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/help/5032883");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/help/5032884");
# https://github.com/dotnet/core/blob/main/release-notes/6.0/6.0.25/6.0.25.md
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?aac42578");
# https://github.com/dotnet/core/blob/main/release-notes/7.0/7.0.14/7.0.14.md
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5cacbbd5");
# https://github.com/dotnet/core/blob/main/release-notes/8.0/8.0.0/8.0.0.md
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1e233323");
script_set_attribute(attribute:"solution", value:
"Update .NET Core, remove vulnerable packages and refer to vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-36558");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/11/14");
script_set_attribute(attribute:"patch_publication_date", value:"2023/11/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_core");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("microsoft_dotnet_core_win.nbin");
script_require_keys("installed_sw/.NET Core Windows");
exit(0);
}
include('vcf.inc');
get_kb_item_or_exit('SMB/Registry/Enumerated');
var conversions = {"preview" : -70, "rc": -20};
vcf::add_conversions(conversions);
var app_info = vcf::get_app_info(app:'.NET Core Windows', win_local:TRUE);
var constraints = [
{ 'min_version' : '6.0.0', 'fixed_version' : '6.0.25' },
{ 'min_version' : '7.0.0', 'fixed_version' : '7.0.14' },
{ 'min_version' : '8.0.0-preview.1', 'fixed_version' : '8.0.0' }
];
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_WARNING
);References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36558
www.nessus.org/u?1e233323
www.nessus.org/u?5cacbbd5
www.nessus.org/u?aac42578
dotnet.microsoft.com/download/dotnet/6.0
dotnet.microsoft.com/en-us/download/dotnet/7.0
dotnet.microsoft.com/en-us/download/dotnet/8.0
github.com/dotnet/announcements/issues/288
msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36558
support.microsoft.com/help/5032883
support.microsoft.com/help/5032884
Related
prion
prion
Security feature bypass
2023-11-14 22:15:00
osv
osv
BIT-aspnet-core-2023-36558
2024-03-06 10:51:21
Microsoft Security Advisory CVE-2023-36558: .NET Security Feature Bypass Vulnerability
2023-11-14 20:36:55
BIT-dotnet-sdk-2023-36558
2024-03-06 10:53:50
veracode
veracode
Security Bypass
2023-11-15 09:57:15
ubuntucve
ubuntucve
CVE-2023-36558
2023-11-14 00:00:00
redos
redos
ROS-20240329-04
2024-03-29 00:00:00
mscve
mscve
ASP.NET Core - Security Feature Bypass Vulnerability
2023-11-14 08:00:00
redhatcve
redhatcve
CVE-2023-36558
2023-11-15 14:13:05
nessus
nessus
Security Update for Microsoft ASP.NET Core (November 2023) (CVE-2023-36558)
2023-11-16 00:00:00
RHEL 7 : .NET 6.0 (RHSA-2023:7259)
2023-11-15 00:00:00
Ubuntu 22.04 LTS / 23.04 / 23.10 : .NET vulnerabilities (USN-6480-1)
2023-11-15 00:00:00
cve
cve
CVE-2023-36558
2023-11-14 22:15:29
github
github
alpinelinux
alpinelinux
CVE-2023-36558
2023-11-14 22:15:29
cvelist
cvelist
CVE-2023-36558 ASP.NET Core - Security Feature Bypass Vulnerability
2023-11-14 21:35:31
redhat
redhat
(RHSA-2023:7257) Moderate: dotnet6.0 security update
2023-11-15 17:24:45
(RHSA-2023:7253) Moderate: dotnet8.0 security update
2023-11-15 17:19:53
(RHSA-2023:7258) Moderate: dotnet6.0 security update
2023-11-15 17:26:10
openvas
openvas
Ubuntu: Security Advisory (USN-6480-1)
2023-11-16 00:00:00
.NET Core Multiple Vulnerabilities - Windows
2023-11-16 00:00:00
Microsoft .NET Framework Multiple Vulnerabilities (KB5032339)
2023-11-15 00:00:00
oraclelinux
oraclelinux
dotnet7.0 security update
2023-11-22 00:00:00
dotnet6.0 security update
2023-11-23 00:00:00
dotnet8.0 security update
2023-11-28 00:00:00
almalinux
almalinux
Moderate: dotnet8.0 security update
2023-11-15 00:00:00
Moderate: dotnet8.0 security update
2023-11-15 00:00:00
Moderate: dotnet6.0 security update
2023-11-15 00:00:00
mskb
mskb
.NET 7.0 Update - November 14, 2023 (KB5032884)
2023-11-14 08:00:00
.NET 6.0 Update - November 14, 2023 (KB5032883)
2023-11-14 08:00:00
ubuntu
ubuntu
.NET vulnerabilities
2023-11-15 00:00:00
rocky
rocky
dotnet6.0 security update
2023-11-28 22:43:36
dotnet7.0 security update
2023-11-28 22:43:36
kaspersky
kaspersky
KLA61979 Multiple vulnerabilities in Microsoft Developer Tools
2023-11-14 00:00:00
ibm
ibm
rapid7blog
rapid7blog
Patch Tuesday - November 2023
2023-11-14 21:27:09