Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upMicrosoft Security Advisory CVE-2017-8700: CORS bypass can enable Information Disclosure #279
Comments
blowdart
added
the
Security
label
Nov 14, 2017
blowdart
closed this
Nov 14, 2017
aspnet
locked and limited conversation to collaborators
Nov 14, 2017
blowdart
changed the title from
Reserved
to
Microsoft Security Advisory CVE-2017-8700: CORS bypass can enable Information Disclosure
Nov 14, 2017
blowdart
reopened this
Nov 14, 2017
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
blowdart commentedNov 14, 2017
•
edited
Microsoft Security Advisory CVE-2017-8700 CORS Bypass can enable Information Disclosure
Executive Summary
Microsoft is releasing this security advisory to provide information about a vulnerability in public ASP.NET Core 1.0 and 1.1. This advisory also provides guidance on what developers can do to update their applications correctly.
Microsoft is aware of a security vulnerability in some public versions of ASP.NET Core where Cross-Origin Resource Sharing (CORS) can be bypassed, leading to information disclosure.
Discussion
Please use aspnet/Mvc#7054 for discussion of this advisory.
Mitigation Factors
ASP.NET Core applications using version 2.0.0 or higher are not vulnerable.
Affected Software
The vulnerabilities affect any Microsoft ASP.NET Core project if it uses the following affected package versions.
1.1.0, 1.1.1, 1.1.2 ,1.1.3, 1.1.4
1.1.6
1.1.0, 1.1.1, 1.1.2 ,1.1.3, 1.1.4
1.1.6
Advisory FAQ
How do I know if I am affected?
.NET Core and ASP.NET Core have two types of dependencies: direct and transitive. If your project has a direct or transitive dependency on any of the packages and versions listed above, you are affected.
Note: As part of patching ASP.NET Core MVC we update every Microsoft.AspNetCore.Mvc.* package. If, for example, you have a dependency on
Microsoft.AspNetCore.Mvcyou should update to the appropriate version first (1.0.x should be updated to 1.0.6, 1.1.x should be updated to 1.1.6), and it will also update any other vulnerableMicrosoft.AspNetCore.Mvcdependency.NET Core Project formats
.NET Core has two different project file formats, depending on what software created the project.
project.jsonis the format used in .NET Core 1.0 and Microsoft Visual Studio 2015.csprojis the format used in .NET Core 1.1 and Microsoft Visual Studio 2017.You must ensure you follow the correct update instructions for your project type.
Direct Dependencies
Direct dependencies are dependencies where you specifically add a package to your project. For example, if you add the
Microsoft.AspNetCore.Mvcpackage to your project then you have taken a direct dependency onMicrosoft.AspNetCore.Mvc.Direct dependencies are discoverable by reviewing your
project.jsonorcsprojfile.Transitive Dependencies
Transitive dependencies occur when you add a package to your project that in turn relies on another package. For example, if you add the
Microsoft.AspNetCore.Mvcpackage to your project it depends on theMicrosoft.AspNetCore.Mvc.Corepackage (among others). Your project has a direct dependency onMicrosoft.AspNetCore.Mvcand a transitive dependency on theMicrosoft.AspNetCore.Mvc.Corepackage.Transitive dependencies are reviewable in the Visual Studio Solution Explorer window, which supports searching, or by reviewing the
project.lock.jsonfile contained in the root directory of your project forproject.jsonprojects or theproject.assets.jsonfile contained in the obj directory of your project forcsprojprojects. These files are the authoritative list of all packages used by your project, containing both direct and transitive dependencies.How do I fix my affected application?
You will need to fix both direct dependencies and review and fix any transitive dependencies. The affected packages and versions in the previous “Affected Software” section include each vulnerable package, the vulnerable versions, and the patched versions
Note: If you are using ASP.NET Core MVC in your projects you should first update the
Microsoft.AspNetCore.Mvcversion to the fixed version in the table above. If you are currently using version 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4 or 1.0.5 you should update your package version to 1.0.6. If you are using version 1.1.0, 1.1.1, 1.1.2, 1.1.3 or 1.1.4 you should update your package version to 1.1.6. This will update every MVC package to the fixed versions.Fixing Direct Dependencies – project.json/VS2015
Open your
project.jsonfile in your editor. Look for the dependencies section. Below is an example dependencies section:This example has three direct dependencies:
Microsoft.NETCore.App,Microsoft.AspNetCore.Server.KestrelandMicrosoft.AspNetCore.Mvc.Core.Microsoft.NetCore.Appis the platform the application targets, you should ignore this. The other packages expose their version to the right of the package name. In our example, our non-platform packages are version 1.0.1.Review your direct dependencies for any instance of the packages and versions listed above. In the example above, there is a direct dependency on the vulnerable package,
Microsoft.AspNetCore.Mvc.Coreversion 1.0.1.To update to the fixed package, change the version number to be the appropriate package for your release. In the example, this would be updating
Microsoft.AspNetCore.Mvc.Coreto 1.0.6.After updating the vulnerable package versions, save your
project.jsonfile.The dependencies section in our example
project.jsonwould now look as follows:If you are using Visual Studio and save your updated
project.jsonfile, Visual Studio will restore the new package version. You can see the restore results by opening the Output Window (Ctrl+Alt+O) and changing the Show output from drop-down list to Package Manager.If you are not using Visual Studio, open a command line and change to your project directory. Execute the
dotnet restorecommand to restore your new dependency.After you have addressed all of your direct dependencies, you must also review your transitive dependencies.
Fixing Direct Dependencies – csproj/VS2017
Open your
projectname.csprojfile in your editor, or right click the project in Visual Studio 2017 and chooseEdit projectname.csprojfrom the content menu, where projectname is the name of your project. Look forPackageReferencenodes. The following shows an example project file:The example has a single direct dependency, as seen by the
PackageReferenceelement. The name of the package is in the Include attribute, and the package version number is in the Version attribute that is exposed to the right of the package name. The example shows a single packageMicrosoft.AspNetCore.Mvc.Coreversion 1.1.6.Review your
PackageReferenceelements for any instance of the packages and versions listed above. In the example above, there is a direct dependency on the vulnerable package,Microsoft.AspNetCore.Mvc.Coreversion 1.1.3.To update to the fixed package, change the version number to the appropriate package for your release. In the example, this would be updating
Microsoft.AspNetCore.Mvc.Corsto 1.1.6.After updating the vulnerable package version, save your
csprojfile. The examplecsprojwould now look as follows:If you are using Visual Studio and save your updated
csprojfile, Visual Studio will restore the new package version. You can see the restore results by opening the Output Window (Ctrl+Alt+O) and changing the Show output from drop-down list to Package Manager.If you are not using Visual Studio open a command line and change to your project directory. Execute the
dotnet restorecommand to restore your new dependency.After updating your direct dependencies
Recompile your application.
If after recompilation you see a Dependency conflict warning, you must update your other direct dependencies to the appropriate version.
For example if your project refers to
Microsoft.AspNetCore.Mvc.Corswith a version number of 1.0.1 when you update yourMicrosoft.AspNetCore.Mvcpackage to 1.0.6, compilation will throw:NU1012 Dependency conflict. Microsoft.AspNetCore.Mvc.Core 1.0.6 expected Microsoft.AspNetCore.Mvc.Cors >= 1.0.6 but received 1.0.1To fix this, edit the version for the expected package to be the version expected by updating your
csprojorproject.jsonin the same way that you used to update the vulnerable package versions.After you have addressed all of your direct dependencies, you must also review your transitive dependencies.
Reviewing Transitive Dependencies
There are two ways to view transitive dependencies. You can either use Visual Studio’s Solution Explorer, or you can review your
project.lock.json(project.json/VS2015) orproject.assets.json(csproj/VS2017) file.Using Visual Studio Solution Explorer (VS2015)
If you want to use Visual Studio 2015, open your project in Visual Studio 2015 and then press Ctrl+; to activate the search in Solution Explorer. Search for each of the vulnerable package names and make a note of the version numbers of any results you find.
For example, searching for
Microsoft.AspNetCore.Mvc.Corein an example project that contains a reference toMicrosoft.AspNetCore.Mvcshows the following results in Visual Studio 2015.The search results appear as a tree. In these results, you can see we have found references to
Microsoft.AspNetCore.Mvc, version 1.0.1, ` vulnerable version.The first entry under the References heading refers to the target framework your application is using. This will be
.NETCoreApp,.NETStandardor.NET-Framework-vX.Y.Z(where X.Y.Z is an actual version number) depending on how you configured your application. Under your target framework will be the list of packages you have directly taken a dependency on. In this example, the application takes a dependency onMicrosoft.AspNetCore.Mvc.Microsoft.AspNetCore.Mvcin turn has leaf nodes that list its dependencies and their versions. In this case theMicrosoft.AspNetCore.Mvcpackage takes a dependency on a vulnerable version ofMicrosoft.AspNetCore.Mvc.Coreand numerous other packages.Manually reviewing project.lock.json (project.json/VS2015)
Open the
project.lock.jsonfile in your editor. We suggest you use an editor that understands json and allows you to collapse and expand nodes to review this file; both Visual Studio and Visual Studio Code provide this functionality.If you are using Visual Studio the
project.lock.jsonfile is “under” theproject.jsonfile. Click the right pointing triangle, ▷, to the left of theproject.jsonfile to expand the solution tree to expose theproject.lock.jsonfile. The following image shows a project with theproject.jsonfile expanded to show theproject.lock.jsonfile.Search the
project.lock.jsonfile for the vulnerable packages, using the formatpackagename/, using each of the package names from the table above. If you find any vulnerable assembly name in your search examine the line on which they are found, the version number is after the/and compare to the vulnerable versions table above. For example a search result that showsMicrosoft.AspNetCore.Mvc.Cors/1.0.1is a reference to v1.0.1 ofMicrosoft.AspNetCore.Mvc.Cors. If yourproject.lock.jsonfile includes references to any of the package versions shown above then you will need to fix the transitive dependencies.Fixing transitive dependencies (project.json/VS2015)
If you have not found any reference to a vulnerable version of
Microsoft.AspNetCore.Mvc.Corsthis means none of your direct dependencies depend on any vulnerable packages or you have already fixed the problem by updating the direct dependencies.If your transitive dependency review found references to any of the vulnerable packages you must add a direct dependency to the updated package to your
project.jsonfile to override the transitive dependency. Open yourproject.jsonand find the dependencies section. For example:For each of the vulnerable packages your search returned you must add a direct dependency to the updated version by adding it to the
project.jsonfile. You do this by adding a new line to the dependencies section, referring the fixed version. For example, if your search showed a transitive reference to the vulnerableMicrosoft.AspNetCore.Mvc.Corsversion 1.0.0 you would add a reference to the appropriate fixed version, 1.0.6. Edit theproject.jsonfile as follows:After you have added direct dependencies to the fixed packages, save your
project.jsonfile.If you are using Visual Studio save your updated
project.jsonfile and Visual Studio will restore the new package versions. You can see the restore results by opening the Output Window (Ctrl+Alt+O) and changing the Show output from drop-down list to Package Manager.If you are not using Visual Studio open a command line and change to your project directory. Execute the
dotnet restorecommand to restore your new dependencies.Using Visual Studio Solution Explorer (VS2017)
If you want to use Solution Explorer, open your project in Visual Studio 2017, and then press Ctrl+; to activate the search in Solution Explorer. Search for each of the vulnerable package names and make a note of the version numbers of any results you find.
For example, searching for
Microsoft.AspNetCore.Mvc.Corein an example project that contains a package that takes a dependency onMicrosoft.AspNetCore.Mvcshows the following results in Visual Studio 2017.The search results appear as a tree. In these results, you can see we have found references to
Microsoft.AspNetCore.Mvc.Coreversion 1.1.2.Under the Dependencies node will be a NuGet node. Under the NuGet node will be the list of packages you have directly taken a dependency on and their versions. In this example, the application takes a direct dependency on
Microsoft.AspNetCore.Mvc.Microsoft.AspNetCore.Mvcin turn has leaf nodes that list its dependencies and their versions. In the example theMicrosoft.AspNetCore.Mvcpackage takes a dependency on a version ofMicrosoft.AspNetCore.Mvc.ApiExplorerwhich in turn takes a dependency on a vulnerable version ofMicrosoft.AspNetCore.Mvc.Core.Manually reviewing project.assets.json (VS2017)
Open the
project.assets.jsonfile from your project’s obj directory in your editor. We suggest you use an editor that understands json and allows you to collapse and expand nodes to review this file; both Visual Studio and Visual Studio Code provide this functionality.Search the
project.assets.jsonfile for each of the vulnerable packages, using the formatpackagename/using the package name from the table above. If you find the assembly name in your search examine the line on which they are found, the version number is after the/and compare to the vulnerable versions table above. For example a search result that showsMicrosoft.AspNetCore.Mvc.Cors/1.1.0is a reference to v1.1.0 ofMicrosoft.AspNetCore.Mvc.Cors. If yourproject.assets.jsonfile includes references to any of the vulnerable packages shown above then you will need to fix the transitive dependencies.If you have not found any reference to any vulnerable packages this means none of your direct dependencies depend on any vulnerable packages or you have already fixed the problem by updating the direct dependencies.
If your transitive dependency review found references to any of the vulnerable packages you must add a direct dependency to the updated package to your
csprojfile to override the transitive dependency. Open yourprojectname.csprojfile in your editor, or right click on the project in Visual Studio 2017 and choose Editprojectname.csprojfrom the content menu, whereprojectnameis the name of your project. Look forPackageReferencenodes, for example:For each of the vulnerable packages your search returned you must add a direct dependency to the updated version by adding it to the
csprojfile. You do this by adding a new line to the dependencies section, referring the fixed version. For example, if your search showed a transitive reference to the vulnerableMicrosoft.AspNetCore.Mvc.Cors, version 1.1.4 you would add a reference to the appropriate fixed version, 1.1.6.After you have added the direct dependency reference, save your
csprojfile.If you are using Visual Studio, save your updated
csprojfile and Visual Studio will restore the new package versions. You can see the restore results by opening the Output Window (Ctrl+Alt+O) and changing the Show output from drop-down list to Package Manager.If you are not using Visual Studio, open a command line and change to your project directory. Execute the
dotnet restorecommand to restore your new dependencies.Rebuilding your application
Finally rebuild your application, test as you would do normally and redeploy using your favored deployment mechanism.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET Core, please email details to secure@microsoft.com. Reports may qualify for the .NET Core Bug Bounty. Details of the .NET Core Bug Bounty including Terms and Conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET Core or ASP.NET Core organizations. These are located at https://github.com/dotnet/ and https://github.com/aspnet/. The Announcements repo for each product (https://github.com/dotnet/Announcements and https://github.com/aspnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue where you can ask questions.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
CVE-2017-8700
Revisions
V1.1 (Dec 13, 2017): Updated 1.1.5 to 1.1.6 to fix a packaging issue (see aspnet/Mvc#7070)
V1.0 (Nov 14, 2017): Advisory published.
Version 1.1
Last Updated 2017-12-13