Security Updates for Microsoft .NET core and ASP.NET (Bypass) (July 2018)

Medium Nessus Plugin ID 111070

Synopsis

The Microsoft ASP.NET Core installations on the remote host contain vulnerable packages.

Description

The Microsoft .NET and ASP.NET installations on the remote host are missing a security update. It is, therefore, affected by the following vulnerability :

 - A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated. An attacker who successfully exploited this vulnerability could try an infinite number of authentication attempts. The update addresses the vulnerability by validating the number of incorrect login attempts. (CVE-2018-8171)

Solution

Update ASP.NET Core, remove vulnerable packages and refer to vendor advisory.

See Also

http://www.nessus.org/u?59900f80

https://github.com/aspnet/Announcements/issues/310

Plugin Details

Severity: Medium

ID: 111070

File Name: smb_nt_ms18_jul_aspdotnet_core_CVE-2018-8171.nasl

Version: 1.3

Type: local

Agent: windows

Published: 2018/07/13

Modified: 2018/09/17

Dependencies: 104667

Risk Information

Risk Factor: Medium

CVSS Score Source: manual

CVSS Score Rationale: Nvd score unavailable. assigned cvss score for bypass.

CVSS v2.0

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 5.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Vulnerability Information

CPE: cpe:/a:microsoft:aspnet_core

Required KB Items: installed_sw/ASP .NET Core Windows

Patch Publication Date: 2018/07/10

Vulnerability Publication Date: 2018/07/10

Reference Information

CVE: CVE-2018-8171

BID: 104659

MSKB: 4339279

MSFT: MS18-4339279