The CVSS confusion: Despite Dorrans’ cautious assessment of the actual risk, the 9.9 CVSS rating has caused considerable confusion among developers, with many questioning whether the vulnerability truly warrants such an extreme severity score.Dorrans addressed this directly in the GitHub discussion, explaining that Microsoft’s scoring methodology accounts for worst-case scenarios.”On its own for ASP.NET Core,” he wrote, the rating would be “nowhere near that high.” But Microsoft scores vulnerabilities based on the potential for “a security feature bypass which changes scope,” meaning the attack could affect components beyond the initially vulnerable one.When developers asked for specifics about what application code patterns might be vulnerable, Dorrans offered cautious responses.”Anything that does something with a request could be problematic,” he said, adding that “an app that does authentication and has access rules based on the authentication may be vulnerable.”He, however, noted that these were personal observations rather than official Microsoft guidance.
Who needs to patch?: The vulnerability affects a wide range of ASP.NET Core versions. Any application running ASP.NET Core 10.0.0-rc.1.25451.107 or earlier, ASP.NET Core 9.0.9 or earlier, ASP.NET Core 8.0.20 or earlier, or ASP.NET Core 2.x with Microsoft.AspNetCore.Server.Kestrel.Core version 2.3.0 or earlier is susceptible to the flaw, according to the advisory.Organizations face different patching requirements depending on their deployment model. Applications using framework-dependent deployments rely on the .NET runtime installed on the server, meaning administrators must update the server itself. Those using self-contained deployments, which bundle the runtime with the application, must rebuild and redeploy each affected application individually.Microsoft released patched versions across all supported releases. Developers should upgrade to .NET 8.0.21 Runtime or .NET 8.0.318 SDK for version 8, .NET 9.0.10 Runtime or .NET 9.0.111 SDK for version 9, or .NET 10.0.0-rc.2.25476.107 Runtime for the version 10 pre-release, the advisory said. For legacy ASP.NET Core 2.x applications, Microsoft released Kestrel.Core package version 2.3.6 through NuGet.
Some may already be protected: Not all organizations may need to take immediate action, however. One mitigating factor is that applications protected by reverse proxies or API gateways may already have adequate defenses, Dorrans said.”If a gateway or proxy removes smuggled requests, the application is protected,” he wrote. However, Kestrel implementations that directly face the internet without such intermediary filtering remain vulnerable.Microsoft stated in its official update guide that the vulnerability is not known to be exploited in the wild.Despite this, Dorrans advised that organizations should evaluate their specific risks carefully. “Only you can evaluate the risks to your application,” he wrote, while recommending that “the cautious approach is to patch as soon as possible.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4074590/critical-asp-net-core-vulnerability-earns-microsofts-highest-ever-severity-score.html
