Microsoft Security Advisory CVE-2017-8585 : Malformed Culture can cause application crash

[blowdart]

Microsoft Security Advisory CVE-2017-8585

Malformed Culture can cause application to crash

Executive Summary

Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of .NET Core 1.0 and 1.1. This advisory also provides guidance on what developers can do to update their applications correctly.

Microsoft is aware of a security vulnerability in the public version of .NET Core where a malformed string request could cause an application to crash and lead to a denial of service.

System administrators are advised to update their .NET Core runtimes to versions 1.0.7 and 1.1.4. Developers are advised to update their .NET Core SDK to version 1.1.4.

Discussion

Use dotnet/corefx#24703 for discussion of this advisory.

Mitigation Factors

.NET Core 2.0 is not affected by this issue.
,NET Core 1.x applications are only affected if running on Windows 10 or Windows 2016.

Advisory FAQ

How do I know if I am affected?

Any application running against .NET Core 1.0.6 or lower versions, or 1.1.2 or lower versions is affected. The latest version of the .NET core runtime you have installed in your computer can be listed by running dotnet --info. Running that command produces an output similar to the following:

.NET Command Line Tools (2.0.2)

Product Information:
 Version:            2.0.2
 Commit SHA-1 hash:  a04b4bf512

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.16299
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\2.0.2\

Microsoft .NET Core Shared Framework Host

  Version  : 2.0.0
  Build    : e8b8861ac7faf042c87a5c2f9f2d04c98b69f28d

As this command only displays the latest version of the runtime installed (or the version set in the global.json file), it may hide the fact that you have a vulnerable runtime. A complete list of runtimes can be discovered by performing a directory listing in the install root directories. The default root directories are listed in the following table:

Operating System	Location
Windows	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\
macOS	/usr/local/share/dotnet/shared/Microsoft.NETCore.App/
Supported Linux platforms	/usr/share/dotnet/shared/Microsoft.NETCore.App/

Each runtime version is installed in its own directory, where the directory name is the version number. If you don't have a directory for 1.0.7 and 1.1.4, then any applications targeting 1.0 or 1.1 of .NET Core are vulnerable.

Also, even if you have a directory for 1.0.7 and 1.1.4 present in your system, if you've deployed self-contained applications targeting the impacted versions, these applications are also vulnerable.

How do I fix my affected application?

Applications can be fixed by installing the latest .NET Core runtimes or SDKs. Typically, application servers only have runtime packages installed and developer machines have the SDKs installed. Installers for the runtimes can be downloaded from the Runtime and SDK download archive. .NET Core 1.1.4 SDK installs both versions 1.0.7 and 1.1.4 of the .NET Core runtime.

If you've built a self-contained application, you must install the new runtime and SDK, recompile your application and redeploy.

What if the update breaks my application?

An application can be pinned to a previous version of the runtime by editing the application.runtime.config file for that application. Set the framework version to the desired version and the rollForward property to false. These settings should be treated as a temporary measure and the application updated to work with the patched versions of the framework.

Since the application.runtime.config file is an optional file, you may need to create one for each application and add it alongside the executable.

Acknowledgments

David Fernandez of Sidertia Solutions

External Links

CVE-2017-8585
Sidertia blog on their discovery

Version 1.1
Last Updated 2017-18-10