CVE-2023-38180: Microsoft .NET Core and Visual Studio – Denial of Service (DoS) Vulnerability in Kestrel Web Server

Background & Context

Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft. It is used to develop computer programs including websites, web apps, web services and mobile apps. Visual Studio uses Microsoft software development platforms such as Windows API, Windows Forms, Windows Presentation Foundation, Windows Store and Microsoft Silverlight. It can produce both native code and managed code. .NET (pronounced as “dot net”; formerly named .NET Core) is a free and open-source, managed computer software framework for Windows, Linux, and macOS operating systems. It is a cross-platform successor to .NET Framework.


Vulnerability Summary

A vulnerability exists in .NET’s Kestrel Web Server where, on detecting a potentially malicious client, Kestrel will sometimes fail to disconnect it, resulting in a Denial of Service (DoS).


Impact If Exploited

If exploited or triggered, the impacted product may slow down, crash due to unhandled errors, or lock out legitimate users.

NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 10/08/2023.


Affected Product Versions

* Microsoft Visual Studio 2022 version 17.6 prior to Build 17.6.6
* Microsoft Visual Studio 2022 version 17.4 prior to Build 17.4.10
* Microsoft Visual Studio 2022 version 17.2 prior to Build 17.2.18
* .NET 7.0 prior to Build 7.0.10
* .NET 6.0 prior to Build 6.0.21
* ASP.NET Core 2.1 prior to Build 2.1.40



Official Fix & Remediation Guidance

Customers are advised to upgrade to the latest version of the impacted Microsoft product. To fix the issue please install the latest version of .NET 6.0 or .NET 7.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.

Updates to Microsoft Visual Studio and .NET may be available via the built-in package manager or auto-update system in the Operation System, or alternatively may be downloaded directly via the MSRC website’s download page, located at [[]].

* If you’re using .NET 7.0, you should download and install Runtime 7.0.10 or SDK 7.0.110 (for Visual Studio 2022 v17.4) from [[]].
* If you’re using .NET 6.0, you should download and install Runtime 6.0.21 or SDK 6.0.316 (for Visual Studio 2022 v17.2) from [[]].

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.


Temporary Mitigation & Workarounds

If your application is running behind a reverse proxy, or Web Application Firewall, which has its own mitigations against HTTP based attacks this issue may be mitigated by the proxy or WAF

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

References **[[]]  [[]]

Category: Denial of Service (DOS)



AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.


About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses

Get in touch

Please enable JavaScript in your browser to complete this form.