CVE-2017-0248

Опубликовано: 09 мая 2017

Источник: msrc

EPSS Низкий

Описание

.NET Security Feature Bypass Vulnerability

A security feature bypass vulnerability exists when Microsoft .NET Framework (and .NET Core) components do not completely validate certificates.

An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose. This action disregards the Enhanced Key Usage taggings.

The security update addresses the vulnerability by helping to ensure that .NET Framework (and .NET Core) components completely validate certificates.

FAQ

How do I determine which version of Microsoft .NET Framework is installed on my system? You can install and run multiple versions of .NET Framework on a system, and you can install the versions in any order. For more information, see Microsoft Knowledge Base Article 318785.

How do I locate the updates for the versions of .NET Framework installed on my system? The download links in the Affected Products table are to the Parent KB number in the Microsoft Update Catalog. To locate the packages you need to download, in the Microsoft Update Catalog, click Download for the platform you have installed on your system. In the Download window, click to download each update that is applicable to your system.

Customers who have updates automatically installed will be offered the Parent KB; however, the package KB numbers listed for each platform will be displayed in Add Remove Programs.

The following table lists the Parent KB numbers for the Monthly Rollup Releases and the Security Only Releases, and the package KB numbers they contain. For more information about Microsoft's update servicing model for Microsoft .NET Framework, see this Microsoft .NET Blog Post.

Monthly Rollup Release		Security Only Release
Platform	Parent KB	Child KBs	Parent KB	Child KBs
Windows Server 2008	4019115	4014502 - .NET Framework 2.0	4019109	4014575 - .NET Framework 2.0
		4014514 - .NET Framework 4.5.2		4014599 - .NET Framework 4.5.2
		4014511 - .NET Framework 4.6		4014591- .NET Framework 4.6
Windows 7	4019112	4014504 - .NET Framework 3.5.1	4019108	4014579 - .NET Framework 3.5.1
Windows Server 2008 R2		4014514 - .NET Framework 4.5.2		4014599 - .NET Framework 4.5.2
		4014511 - .NET Framework 4.6/4.6.1		4014591 - .NET Framework 4.6/4.6.1
		4014508 - .NET Framework 4.6.2		4014588 - .NET Framework 4.6.2
Windows Server 2012	4019113	4014503 - .NET Framework 3.5	4019110	4014577 - .NET Framework 3.5
		4014513 - .NET Framework 4.5.2		4014597 - .NET Framework 4.5.2
		4014509 - .NET Framework 4.6/4.6.1		4014589 - .NET Framework 4.6/4.6.1
		4014506 - .NET Framework 4.6.2		4014586 - .NET Framework 4.6.2
Windows 8.1	4019114	4014505 - .NET Framework 3.5	4019111	4014581 - .NET Framework 3.5
Windows Server 2012 R2		4014512 - .NET Framework 4.5.2		4014595 - .NET Framework 4.5.2
		4014510 - .NET Framework 4.6/4.6.1		4014590 - .NET Framework 4.6/4.6.1
		4014507 - .NET Framework 4.6.2		4014587 - .NET Framework 4.6.2
Windows 10 Platforms	Parent KB	.NET Framework Product
Windows 10	4019474	.NET Framework 3.5		None
		.NET Framework 4.6
Windows 10 Version 1511	4019473	.NET Framework 3.5		None
		.NET Framework 4.6.1
Windows 10 Version 1607	4019472	.NET Framework 3.5		None
		.NET Framework 4.6.2
Windows Server 2016	4019472	.NET Framework 3.5		None
		.NET Framework 4.6.2
Windows 10 Version 1703	4019471	.NET Framework 4.7		None

Обновления

Продукт	Статья	Обновление
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2	4019115 4019109	Monthly Rollup Security Only
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2	4019115 4019109	Monthly Rollup Security Only
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2	4019115 4019109	Monthly Rollup Security Only
Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation)	4019113 4019110	Monthly Rollup Security Only
Microsoft .NET Framework 3.5 on Windows Server 2012	4019113 4019110	Monthly Rollup Security Only
Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1	4019112 4019108	Monthly Rollup Security Only
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1	4019112 4019108	Monthly Rollup Security Only
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1	4019112 4019108	Monthly Rollup Security Only
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)	4019112 4019108	Monthly Rollup Security Only
Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1	4019112 4019108	Monthly Rollup Security Only

Показывать по

Возможность эксплуатации

Publicly Disclosed

Exploited

Latest Software Release

Exploitation Unlikely

Older Software Release

Exploitation Unlikely

DOS

N/A

EPSS

Процентиль: 77%

0.01092

Низкий

Связанные уязвимости

CVE-2017-0248

CVSS3: 7.5

nvd

около 8 лет назад

Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to bypass Enhanced Security Usage taggings when they present a certificate that is invalid for a specific use, aka ".NET Security Feature Bypass Vulnerability."

GHSA-ch6p-4jcm-h8vh

github

больше 6 лет назад

Moderate severity vulnerability that affects Microsoft.AspNetCore.Mvc and Microsoft.AspNetCore.Mvc.Core

EPSS

Процентиль: 77%

0.01092

Низкий