Rewterz Threat Advisory – Multiple Microsoft ASP.NET and Visual Studio Vulnerabilities

Severity

High

Analysis Summary

CVE-2023-36558 CVSS:6.2

Microsoft ASP.NET could allow a local attacker to bypass security restriction. An attacker could exploit this vulnerability to bypass validations on Blazor Server forms.

CVE-2023-36038 CVSS:8.2

Microsoft ASP.NET is vulnerable to a denial of service. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.

CVE-2023-36560 CVSS:8.8

Microsoft ASP.NET Core could allow a remote authenticated attacker to bypass security restrictions. An attacker could exploit this vulnerability to bypass security checks that prevent an attacker from accessing internal applications in a website.

CVE-2023-36042 CVSS:6.2

Microsoft Visual Studio is vulnerable to a denial of service. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause a denial of service.

CVE-2023-36018 CVSS:7.8

Microsoft Visual Studio Code Jupyter Extension could allow a remote attacker to conduct spoofing attacks.

CVE-2023-36049 CVSS:7.6

Microsoft .NET, .NET Framework and Visual Studio could allow a remote authenticated attacker to gain elevated privileges on the system. By injecting arbitrary commands in the FTP server, an attacker could exploit this vulnerability to escalate privileges.

Impact

• Denial of Service
• Privileges Escalation
• Security Bypass
• Gain Access

Indicators Of Compromise

CVE

• CVE-2023-36558
• CVE-2023-36038
• CVE-2023-36560
• CVE-2023-36042
• CVE-2023-36018
• CVE-2023-36049

Affected Vendors

Microsoft

Affected Products

• Microsoft .NET 6.0
• Microsoft .NET 7.0
• Microsoft .NET 8.0
• Microsoft Visual Studio 2022 17.2
• Microsoft Visual Studio 2022 17.4
• Microsoft Visual Studio 2022 17.6
• Microsoft Visual Studio 2022 17.7
• Microsoft ASP.NET Core 6.0
• Microsoft ASP.NET Core 7.0
• Microsoft .NET Core 8.0
• Microsoft .NET Framework 4.8
• Microsoft .NET Framework 3.5
• Microsoft .NET Framework 3.5.1
• Microsoft Jupyter Extension for Visual Studio Code
• Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 for 32-bit Systems 1607
• Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 for X64-based Systems 1607
• Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016
• Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 (Server Core installation)
• Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for X64-based Systems Service Pack 2
• Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2
• Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2
• Microsoft .NET Framework 3.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation)
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation)

Remediation

Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches.

CVE-2023-36558

CVE-2023-36038

CVE-2023-36560

CVE-2023-36042

CVE-2023-36018

CVE-2023-36049