Security Updates for Microsoft .NET core and ASP.NET (Bypass) (July 2018)

high Nessus Plugin ID 111070

Synopsis

The Microsoft ASP.NET Core installations on the remote host contain vulnerable packages.

Description

The Microsoft .NET and ASP.NET installations on the remote host are missing a security update. It is, therefore, affected by the following vulnerability :

- A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated. An attacker who successfully exploited this vulnerability could try an infinite number of authentication attempts. The update addresses the vulnerability by validating the number of incorrect login attempts. (CVE-2018-8171)

Solution

Update ASP.NET Core, remove vulnerable packages and refer to vendor advisory.

See Also

http://www.nessus.org/u?59900f80

https://github.com/aspnet/Announcements/issues/310

Plugin Details

Severity: High

ID: 111070

File Name: smb_nt_ms18_jul_aspdotnet_core_CVE-2018-8171.nasl

Version: 1.7

Type: local

Agent: windows

Published: 7/13/2018

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2018-8171

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:asp.net_core

Required KB Items: installed_sw/ASP .NET Core Windows

Exploit Ease: No known exploits are available

Patch Publication Date: 7/10/2018

Vulnerability Publication Date: 7/10/2018

Reference Information

CVE: CVE-2018-8171

BID: 104659

MSFT: MS18-4339279

MSKB: 4339279