Vulnerabilities > CVE-2018-8416 - Unspecified vulnerability in Microsoft Asp.Net Core 2.1

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
microsoft
nessus

Summary

A tampering vulnerability exists when .NET Core improperly handles specially crafted files, aka ".NET Core Tampering Vulnerability." This affects .NET Core 2.1.

Vulnerable Configurations

Part Description Count
Application
Microsoft
1

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3676.NASL
    descriptionAn update for rh-dotnet21-dotnet is now available for .NET Core on Red Hat Enterprise Linux. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. .NET Core is a managed software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. A new version of .NET Core that addresses a security vulnerability is now available. The updated version is .NET Core 2.1.5. Security Fix(es) : * .NET Core: Arbitrary file and directory creation (CVE-2018-8416) For more information, please refer to the upstream docs in the References section.
    last seen2020-06-12
    modified2018-12-04
    plugin id119413
    published2018-12-04
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119413
    titleRHEL 7 : dotNET (RHSA-2018:3676)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2018:3676. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119413);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/11");
    
      script_cve_id("CVE-2018-8416");
      script_xref(name:"RHSA", value:"2018:3676");
    
      script_name(english:"RHEL 7 : dotNET (RHSA-2018:3676)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "An update for rh-dotnet21-dotnet is now available for .NET Core on Red
    Hat Enterprise Linux.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    .NET Core is a managed software framework. It implements a subset of
    the .NET framework APIs and several new APIs, and it includes a CLR
    implementation.
    
    A new version of .NET Core that addresses a security vulnerability is
    now available. The updated version is .NET Core 2.1.5.
    
    Security Fix(es) :
    
    * .NET Core: Arbitrary file and directory creation (CVE-2018-8416)
    
    For more information, please refer to the upstream docs in the
    References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2018:3676"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-8416"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rh-dotnet21-dotnet");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rh-dotnet21-dotnet-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rh-dotnet21-dotnet-host");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rh-dotnet21-dotnet-runtime-2.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rh-dotnet21-dotnet-sdk-2.1");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rh-dotnet21-dotnet-sdk-2.1.5xx");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/04");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2018:3676";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"rh-dotnet21-dotnet-2.1.500-5.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"rh-dotnet21-dotnet-debuginfo-2.1.500-5.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"rh-dotnet21-dotnet-host-2.1.6-5.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"rh-dotnet21-dotnet-runtime-2.1-2.1.6-5.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"rh-dotnet21-dotnet-sdk-2.1-2.1.500-5.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"rh-dotnet21-dotnet-sdk-2.1.5xx-2.1.500-5.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rh-dotnet21-dotnet / rh-dotnet21-dotnet-debuginfo / etc");
      }
    }
    
  • NASL familyWindows
    NASL idSMB_NT_MS18_NOV_DOTNET_CORE.NASL
    descriptionThe remote Windows host has an installation of .NET Core with a version of 2.1.x. Therefore, the host is affected by a tampering vulnerability which exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain limited locations on a vulnerable system.
    last seen2020-06-01
    modified2020-06-02
    plugin id118979
    published2018-11-16
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118979
    titleSecurity Update for .NET Core (November 2018)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(118979);
      script_version("1.4");
      script_cvs_date("Date: 2019/11/01");
    
      script_cve_id("CVE-2018-8416");
      script_bugtraq_id(105798);
    
      script_name(english:"Security Update for .NET Core (November 2018)");
      script_summary(english:"Checks for Windows Install of .NET Core.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by a .NET Core tampering vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host has an installation of .NET Core
    with a version of 2.1.x. Therefore, the host is affected 
    by a tampering vulnerability which exists when .NET Core
    improperly handles specially crafted files. An attacker 
    who successfully exploited this vulnerability could write 
    arbitrary files and directories to certain limited 
    locations on a vulnerable system.");
      script_set_attribute(attribute:"see_also", value:"https://github.com/dotnet/corefx/pull/32127");
      # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8416
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?fe37e3a1");
      script_set_attribute(attribute:"solution", value:
    "Refer to vendor documentation.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8416");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/11/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/11/16");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_core");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("microsoft_dotnet_core_win.nbin");
      script_require_keys("installed_sw/.NET Core Windows", "Settings/ParanoidReport");
      script_require_ports(139, 445);
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("audit.inc");
    include("install_func.inc");
    include("misc_func.inc");
    
    appname = '.NET Core Windows';
    
    get_kb_item_or_exit("installed_sw/.NET Core Windows");
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    port = get_kb_item("SMB/transport");
    if(port) port = int(port);
    else port = 445;
    
    installs = get_installs(app_name:appname, exit_if_not_found:TRUE);
    fix = NULL;
    
    foreach install (installs[1])
    {
      version = install['version'];
      path = install['path'];
    
      if (version =~ '^2\\.1\\.') fix = 'Refer to vendor documentation.';
    
      if (!empty_or_null(fix))
        report +=
          '\n  Path              : ' + path +
          '\n  Installed version : ' + version +
          '\n  Fix               : ' + fix +
          '\n';
    }
    
    if (empty_or_null(report))
      audit(AUDIT_INST_VER_NOT_VULN, appname);
    
    security_report_v4(port:port, severity:SECURITY_WARNING, extra:report);
      
  • NASL familyWindows
    NASL idSMB_NT_MS19_JAN_DOTNET_CORE.NASL
    descriptionThe remote Windows host has an installation of .NET Core with a version 2.1.x < 2.1.7 or 2.2.x < 2.2.1. It is, therefore, affected by the following vulnerabilities: - An information disclosure vulnerability exists in .NET Core. An unauthenticated, remote attacker can exploit this to bypass cross-origin resource sharing (CORS), to disclose potentially sensitive information. (CVE-2019-0545) - A tampering vulnerability exists in .NET Core. An authenticated, remote attacker can exploit this to write arbitrary files and directories with limited control of their destinations. (CVE-2018-8416)
    last seen2020-06-01
    modified2020-06-02
    plugin id123132
    published2019-03-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123132
    titleSecurity Update for .NET Core (January 2019)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(123132);
      script_version("1.2");
      script_cvs_date("Date: 2019/10/30 13:24:47");
    
      script_cve_id("CVE-2019-0545", "CVE-2018-8416");
      script_bugtraq_id(106405, 105798);
    
      script_name(english:"Security Update for .NET Core (January 2019)");
      script_summary(english:"Checks for Windows Install of .NET Core.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by a .NET Core tampering and
    information disclosure vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host has an installation of .NET Core with a
    version 2.1.x < 2.1.7 or 2.2.x < 2.2.1. 
    It is, therefore, affected by the following vulnerabilities:
    
      - An information disclosure vulnerability exists in .NET Core.
      An unauthenticated, remote attacker can exploit this to bypass
      cross-origin resource sharing (CORS), to disclose potentially
      sensitive information. (CVE-2019-0545)
    
      - A tampering vulnerability exists in .NET Core. An
      authenticated, remote attacker can exploit this to write arbitrary
      files and directories with limited control of their destinations.
      (CVE-2018-8416)");
      # https://blogs.msdn.microsoft.com/dotnet/2019/01/08/net-core-january-2019-update/
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?75ce0f6d");
      # https://github.com/dotnet/core/blob/master/release-notes/2.1/2.1.7/2.1.7.md
      script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?5c7dc693");
      # https://github.com/dotnet/core/blob/master/release-notes/2.2/2.2.1/2.2.1.md
      script_set_attribute(attribute:"see_also",value:"http://www.nessus.org/u?ae0a1b1a");
      script_set_attribute(attribute:"solution", value:"Refer to vendor documentation.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-0545");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/01/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/27");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_core");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("microsoft_dotnet_core_win.nbin");
      script_require_keys("installed_sw/.NET Core Windows");
    
      exit(0);
    }
    
    include('vcf.inc');
    
    app = '.NET Core Windows';
    app_info = vcf::get_app_info(app:app, win_local:TRUE);
    
    constraints = [
      { 'min_version' : '2.1', 'fixed_version' : '2.1.7.27130', 'fixed_display' : '2.1.7 (2.1.7.27130)' },
      { 'min_version' : '2.2', 'fixed_version' : '2.2.1.27207', 'fixed_display' : '2.2.1 (2.2.1.27207)' }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
    

Redhat

advisories
rhsa
idRHSA-2018:3676
rpms
  • rh-dotnet21-dotnet-0:2.1.500-5.el7
  • rh-dotnet21-dotnet-debuginfo-0:2.1.500-5.el7
  • rh-dotnet21-dotnet-host-0:2.1.6-5.el7
  • rh-dotnet21-dotnet-runtime-2.1-0:2.1.6-5.el7
  • rh-dotnet21-dotnet-sdk-2.1-0:2.1.500-5.el7
  • rh-dotnet21-dotnet-sdk-2.1.5xx-0:2.1.500-5.el7

The Hacker News

idTHN:FC0A657EEDC66A38CB29C06FB477EEF0
last seen2018-11-14
modified2018-11-14
published2018-11-14
reporterThe Hacker News
sourcehttps://thehackernews.com/2018/11/microsoft-patch-tuesday-updates.html
title63 New Flaws (Including 0-Days) Windows Users Need to Patch Now