Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Microsoft Security Advisory CVE-2018-0875: Hash Collision can cause Denial of Service #62

Open
blowdart opened this issue Mar 13, 2018 · 0 comments
Open

Microsoft Security Advisory CVE-2018-0875: Hash Collision can cause Denial of Service #62

blowdart opened this issue Mar 13, 2018 · 0 comments
Labels
Security

Comments

@blowdart
Copy link
Collaborator

blowdart commented Mar 13, 2018
edited
Loading

Microsoft Security Advisory CVE-2018-0875: Hash Collision can cause Denial of Service

Executive Summary

Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of .NET Core 1.0 and 2.0 (including other minor and patch releases).
This advisory also provides guidance on what developers can do to update their applications correctly.

Microsoft is aware of a security vulnerability in the public versions of .NET Core where a malicious file or web request could cause a denial of service (DoS) attack.

System administrators are advised to update their .NET Core runtimes to versions 1.0.10, 1.1.7 or 2.0.6. Developers are advised to update their .NET Core SDK to versions 1.1.8 or 2.1.101.

Discussion

Use https://github.com/dotnet/corefx/issues/28010 for discussion of this advisory.

Mitigation Factors

None

Affected Software

Any application running against .NET Core 1.0.9 or lower versions, 1.1.6 or lower minor versions or 2.0.5 or lower minor versions is affected.

Advisory FAQ

How do I know if I am affected?

Any application running against .NET Core 1.0.9 or lower versions, 1.1.6 or lower minor versions or 2.0.5 or lower minor versions is affected.

A complete list of runtimes can be discovered by performing a directory listing in the install root directories. The default root directories are listed in the following table:

Operating System Location
Windows C:\Program Files\dotnet\shared\Microsoft.NETCore.App\
macOS /usr/local/share/dotnet/shared/Microsoft.NETCore.App/
Supported Linux platforms /usr/share/dotnet/shared/Microsoft.NETCore.App/

Each runtime version is installed in its own directory, where the directory name is the version number. If you don't have a directory for 1.0.10, 1.1.7 and 2.0.6, then any applications targeting the respective major/minor versions, 1.0 or 1.1 or 2.0 of .NET Core are vulnerable.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be updated to target the updated .NET Core runtime, recompiled and redeployed.

How do I fix my affected application?

Applications can be fixed by installing the latest .NET Core runtimes or SDKs. Typically, application servers only have runtime packages installed and developer machines have the SDKs installed.
Installers for the runtimes can be downloaded from the Runtime and SDK download archive.
.NET Core 1.1.8 SDK installs both versions 1.0.10 and 1.1.7 of the .NET Core runtime.

If you've built a self-contained application, you must install the new runtime and SDK, update your application to target the updated .NET Core runtime, recompile and redeploy. To update your runtime version edit the RuntimeFrameworkVersion property in the project's .csproj file to indicate the desired target version. For example:

<PropertyGroup>
  <RuntimeFrameworkVersion>2.0.6</RuntimeFrameworkVersion>
</PropertyGroup>

What if the update breaks my application?

An application can be pinned to a previous version of the runtime by editing the {applicationName}.runtimeconfig.json file for that application., where {applicationName} is the name of the executable, for example example.exe would have a runtime configuration file titled example.runtimeconfig.json. Set the framework version to the desired version and the rollForward property to false. These settings should be treated as a temporary measure and the application updated to work with the patched versions of the framework.

Since the {applicationName}.runtimeconfig.json file is an optional file, you may need to create one for each application and add it alongside the executable.

Acknowledgments

Ben Adams of Illyriad Games

External Links

CVE-2018-0875

Revisions

V1.2 (Mar 26, 2018): Corrected instructions for runtimeconfig.json
V1.1 (Mar 14, 2018): Added instructions for self contained application retargetting.
V1.0 (Mar 13, 2018): Advisory published.

Version 1.2
Last Updated 2018-03-26
@dotnet dotnet locked and limited conversation to collaborators Mar 13, 2018
@blowdart blowdart changed the title Microsoft Security Advisory CVE-2018-0875: Hash Collison can cause Denial of Service Microsoft Security Advisory CVE-2018-0875: Hash Collision can cause Denial of Service Mar 13, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@blowdart