Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft. It is used to develop computer programs including websites, web apps, web services and mobile apps. Visual Studio uses Microsoft software development platforms such as Windows API, Windows Forms, Windows Presentation Foundation, Windows Store and Microsoft Silverlight. It can produce both native code and managed code. .NET (pronounced as “dot net”; formerly named .NET Core) is a free and open-source, managed computer software framework for Windows, Linux, and macOS operating systems. It is a cross-platform successor to .NET Framework.
A vulnerability exists in .NET’s Kestrel Web Server where, on detecting a potentially malicious client, Kestrel will sometimes fail to disconnect it, resulting in a Denial of Service (DoS).
If exploited or triggered, the impacted product may slow down, crash due to unhandled errors, or lock out legitimate users.
NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 10/08/2023.
* Microsoft Visual Studio 2022 version 17.6 prior to Build 17.6.6
* Microsoft Visual Studio 2022 version 17.4 prior to Build 17.4.10
* Microsoft Visual Studio 2022 version 17.2 prior to Build 17.2.18
* .NET 7.0 prior to Build 7.0.10
* .NET 6.0 prior to Build 6.0.21
* ASP.NET Core 2.1 prior to Build 2.1.40
Customers are advised to upgrade to the latest version of the impacted Microsoft product. To fix the issue please install the latest version of .NET 6.0 or .NET 7.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
Updates to Microsoft Visual Studio and .NET may be available via the built-in package manager or auto-update system in the Operation System, or alternatively may be downloaded directly via the MSRC website’s download page, located at [[https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-38180]].
* If you’re using .NET 7.0, you should download and install Runtime 7.0.10 or SDK 7.0.110 (for Visual Studio 2022 v17.4) from [[https://dotnet.microsoft.com/download/dotnet-core/7.0]].
* If you’re using .NET 6.0, you should download and install Runtime 6.0.21 or SDK 6.0.316 (for Visual Studio 2022 v17.2) from [[https://dotnet.microsoft.com/download/dotnet-core/6.0]].
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
If your application is running behind a reverse proxy, or Web Application Firewall, which has its own mitigations against HTTP based attacks this issue may be mitigated by the proxy or WAF
NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.
References **[[https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180]] [[https://github.com/dotnet/announcements/issues/269]]
Category: Denial of Service (DOS)
AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)