Lucene search

HistoryJan 10, 2024 - 12:00 a.m.

Security Update for Microsoft .NET Core (January 2024)

2024-01-1000:00:00

www.tenable.com

154

microsoft.net

security update

vulnerability

9.2 High

AI Score

Confidence

High

JSON

The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 2024_Jan_09 advisory.

NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability (CVE-2024-0057)
.NET Denial of Service Vulnerability (CVE-2024-20672)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(187859);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/16");

  script_cve_id("CVE-2024-0057", "CVE-2024-20672");
  script_xref(name:"IAVA", value:"2024-A-0017-S");

  script_name(english:"Security Update for Microsoft .NET Core (January 2024)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a .NET Core vulnerability");
  script_set_attribute(attribute:"description", value:
"The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by
multiple vulnerabilities as referenced in the 2024_Jan_09 advisory.

  - NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability (CVE-2024-0057)

  - .NET Denial of Service Vulnerability (CVE-2024-20672)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://dotnet.microsoft.com/download/dotnet/6.0");
  script_set_attribute(attribute:"see_also", value:"https://dotnet.microsoft.com/en-us/download/dotnet/7.0");
  script_set_attribute(attribute:"see_also", value:"https://dotnet.microsoft.com/en-us/download/dotnet/8.0");
  script_set_attribute(attribute:"see_also", value:"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057");
  script_set_attribute(attribute:"see_also", value:"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20672");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/help/5033733");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/help/5033734");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/help/5033741");
  # https://github.com/dotnet/core/blob/master/release-notes/6.0.0/6.0.26/6.0.26.md
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7cc3c135");
  # https://github.com/dotnet/core/blob/master/release-notes/7.0.0/7.0.15/7.0.15.md
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f9bea036");
  # https://github.com/dotnet/core/blob/master/release-notes/8.0.0/8.0.1/8.0.1.md
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?60479684");
  script_set_attribute(attribute:"solution", value:
"Update .NET Core, remove vulnerable packages and refer to vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-0057");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/01/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/01/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/01/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_core");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("microsoft_dotnet_core_win.nbin");
  script_require_keys("installed_sw/.NET Core Windows");

  exit(0);
}

include('vcf.inc');
get_kb_item_or_exit('SMB/Registry/Enumerated');
var app_info = vcf::get_app_info(app:'.NET Core Windows', win_local:TRUE);
var constraints = [
  { 'min_version' : '6.0.0', 'fixed_version' : '6.0.26' },
  { 'min_version' : '7.0.0', 'fixed_version' : '7.0.15' },
  { 'min_version' : '8.0.0', 'fixed_version' : '8.0.1' }
];
vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE
);

VendorProductVersionCPE
microsoft.net_corecpe:/a:microsoft:.net_core

Vendor	Product	Version	CPE
microsoft	.net_core		cpe:/a:microsoft:.net_core

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0057

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20672

www.nessus.org/u?60479684

www.nessus.org/u?7cc3c135

www.nessus.org/u?f9bea036

dotnet.microsoft.com/download/dotnet/6.0

dotnet.microsoft.com/en-us/download/dotnet/7.0

dotnet.microsoft.com/en-us/download/dotnet/8.0

msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057

msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20672

support.microsoft.com/help/5033733

support.microsoft.com/help/5033734

support.microsoft.com/help/5033741

9.2 High

AI Score

Confidence

High

JSON

Related for SMB_NT_MS24_JAN_DOTNET_CORE.NASL