.NET Core Update Fixes Denial-of-Service Vulnerability

Microsoft cranked out June 2020 updates to .NET Core 3.1 (and 2.1) to address a denial-of-service (DoS) vulnerability.

Officially, the flaw is called CVE-2020-1108 as listed in the Common Vulnerabilities and Exposures (CVE) system. The updates were announced in a June 9 blog post.

It says:

A denial of service vulnerability exists when .NET Core or .NET Framework improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core or .NET Framework web application. The vulnerability can be exploited remotely, without authentication.

A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Core or .NET Framework application.

The update addresses the vulnerability by correcting how the .NET Core or .NET Framework web application handles web requests.

"To comprehensively address CVE-2020-1108, Microsoft has released updates for .NET Core 2.1 and .NET Core 3.1. Customers who use any of these versions of .NET Core should install the latest version of .NET Core. See the Release Notes for the latest version numbers and instructions for updating .NET Core," Microsoft said.

More information and guidance on dealing with the issue can be found in a Microsoft Security Advisory.

It says affected software includes:

  • Any .NET Core 2.1 application running on .NET Core 2.1.18 or lower
  • Any .NET Core 3.1 application running on .NET Core 3.1.4 or lower
  • Any .NET 5 application running on .NET 5 Preview 3 or lower

Yet another related advisory issue was published on May 12.

There was no information about whether the vulnerability was actually exploited.

About the Author

David Ramel is an editor and writer for Converge360.

comments powered by Disqus


Subscribe on YouTube