Vulnerabilities > CVE-2018-8409 - Unspecified vulnerability in Microsoft .Net Core, Asp.Net Core and System.Io.Pipelines

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
microsoft
nessus
NVD
Published: 2018-09-13
Updated: 2022-10-04

Summary

A denial of service vulnerability exists when System.IO.Pipelines improperly handles requests, aka "System.IO.Pipelines Denial of Service." This affects .NET Core 2.1, System.IO.Pipelines, ASP.NET Core 2.1.

Vulnerable Configurations

Part Description Count
Application
Microsoft
18

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS18_SEP_ASPDOTNET_CORE_CVE-2018-8409.NASL
descriptionThe Microsoft ASP.NET Core installation on the remote host contains vulnerable packages. It is, therefore,affected by a Denial of Service vulnerability.
last seen2020-06-01
modified2020-06-02
plugin id117481
published2018-09-13
reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/117481
titleSecurity Updates for Microsoft .NET core and ASP.NET Core (DoS) (September 2018)
code
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#
include("compat.inc");

if (description)
{
  script_id(117481);
  script_version("1.6");
  script_cvs_date("Date: 2019/11/01");

  script_cve_id("CVE-2018-8409");
  script_bugtraq_id(105223);

  script_name(english:"Security Updates for Microsoft .NET core and ASP.NET Core (DoS) (September 2018)");
  script_summary(english:"Checks the version of ASP.NET Core packages.");

  script_set_attribute(attribute:"synopsis", value:
"The Microsoft ASP.NET Core installations on the remote host contain vulnerable packages..");
  script_set_attribute(attribute:"description", value:
"The Microsoft ASP.NET Core installation on the remote host contains 
vulnerable packages. It is, therefore,affected by a Denial of Service 
vulnerability.");
  # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8409
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ffb9c6e3");
  # https://blogs.msdn.microsoft.com/dotnet/2018/09/11/net-core-september-2018-update/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?08628312");
  script_set_attribute(attribute:"see_also", value:"https://github.com/aspnet/announcements/issues/316");
  script_set_attribute(attribute:"see_also", value:"https://github.com/dotnet/announcements/issues/83");
  script_set_attribute(attribute:"solution", value:
"Update ASP.NET Core, remove vulnerable packages and refer to vendor advisory.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8409");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/09/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:aspnet_core");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("microsoft_asp_dotnet_core_win.nbin");
  script_require_ports(139, 445);

  exit(0);
}

include("global_settings.inc");
include("audit.inc");
include("install_func.inc");
include("misc_func.inc");
include("smb_func.inc");
include("vcf.inc");

appname = 'ASP .NET Core Windows';
package_dat = {
  'Microsoft.AspNetCore.All':{
    'constraints':[
      { "min_version" : "2.1.0", "fixed_version" : "2.1.4" }
    ],
    'instances':make_list()
  },
  'Microsoft.AspNetCore.App':{
    'constraints':[
      { "min_version" : "2.1.0", "fixed_version" : "2.1.4" }
    ],
    'instances':make_list()
  },
  'System.IO.Pipelines':{
    'constraints':[
      { "min_version" : "4.5.0", "fixed_version" : "4.6.26814.2" },
    ],
    'instances':make_list()
  }
};

port = kb_smb_transport();

# Only need one install - packages for all installs will be enumerated
install = get_single_install(app_name:appname);
version = install['version'];
path = install['path'];
# Parse extras
foreach package (keys(package_dat))
{
  foreach instance (split(install[package], sep:';', keep:false))
  {
    next = max_index(package_dat[package]['instances']);
    package_dat[package]['instances'][next] = split(instance, sep:'?', keep:false);
  }
}

report =
  '\n  Path              : ' + path +
  '\n  Installed version : ' + version +
  '\n';

vuln = false;
foreach package (keys(package_dat))
{
  foreach instance (package_dat[package]['instances'])
  {
    out = vcf::check_version(
      version:vcf::parse_version(instance[0]),
      constraints:package_dat[package]['constraints']
    );
    if (!vcf::is_error(out) && !isnull(out))
    {
      vuln = true;
      report +=
        '\n  Package           : ' + package +
        '\n  Path              : ' + instance[1] +
        '\n  Installed version : ' + instance[0] +
        '\n  Fixed version     : ' + out['fixed_version'] +
        '\n';
    }
  }
}

if (vuln)
  security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);
else
  audit(AUDIT_INST_VER_NOT_VULN, appname);

References