Affected .net versions by CVE-2024-0057

Question

Affected .net versions by CVE-2024-0057

Anonymous

Hello, I am concerned about CVE-2024-0057 and would like to know if .NET Core is affected. I have checked the security advisory here and can see that all supported versions of .NET (.NET 6 through .NET 8) are impacted. However, I am specifically interested in older, non-supported versions. Since our release and deployment process makes it difficult to update already deployed systems to the latest .NET version, I want to know if .NET Core is affected too given that it is the predecessor to .NET 5 and later. Or is the vulnerability only introduced in .NET 5/.NET 6? Thank you.

Anonymous

2024-02-26T06:47:07.1433333+00:00

Hi @Matěj Prášek , Welcome to Microsoft Q&A, In the .NET, only WindowsDesktop shared runtime containing a income box component that uses X.509 chain to generate the X.509 chain. Other project types (such as web applications) are not affected by this vulnerability, unless they are displayed in a form of vulnerability to build the X.509 chain to build the API itself, or they use the external bag that represents them performing this operation. Do you use X.509?
Anonymous

2024-02-27T12:21:37.6666667+00:00

Hi @Anonymous , thanks for your comment. Let me give you some background about our company. We produce a video management software that consists of a number of Windows servers installed on-premise. We provide support for all versions released in past 3 years, thus the question regarding .NET Core. We do use X.509 to retrieve and store certificates and to create self-signed certificates. We do not generate any certificate chains. If I understand correctly, the vulnerability is tied to creating X.509 chains by our application. If that is the case, we should not be affected. Can you please confirm that there is no misunderstanding between us?
Anonymous

2024-02-29T09:11:18.3966667+00:00

Hi @Matěj Prášek, You may need to consult a more professional person, I can't give you a guarantee. You can go directly to the issue under this link to ask.

Answer accepted by question author

0 additional answers

Your answer

Anonymous

2024-02-26T06:47:07.1433333+00:00

Hi @Matěj Prášek , Welcome to Microsoft Q&A, In the .NET, only WindowsDesktop shared runtime containing a income box component that uses X.509 chain to generate the X.509 chain. Other project types (such as web applications) are not affected by this vulnerability, unless they are displayed in a form of vulnerability to build the X.509 chain to build the API itself, or they use the external bag that represents them performing this operation. Do you use X.509?
Anonymous

2024-02-27T12:21:37.6666667+00:00

Hi @Anonymous , thanks for your comment. Let me give you some background about our company. We produce a video management software that consists of a number of Windows servers installed on-premise. We provide support for all versions released in past 3 years, thus the question regarding .NET Core. We do use X.509 to retrieve and store certificates and to create self-signed certificates. We do not generate any certificate chains. If I understand correctly, the vulnerability is tied to creating X.509 chains by our application. If that is the case, we should not be affected. Can you please confirm that there is no misunderstanding between us?
Anonymous

2024-02-29T09:11:18.3966667+00:00

Hi @Matěj Prášek, You may need to consult a more professional person, I can't give you a guarantee. You can go directly to the issue under this link to ask.

Answer 1

Michael Taylor 61,181

Without knowing what the actual vulnerable code is it is hard to say. However looking at the link it says that System.Security.Cryptography.X509Certificates.dll <= 6.0.125 are impacted. That would lead me to believe that this impacts all versions prior to v6 as well, so yes you are vulnerable.

However System.Security.Cryptography.dll is only for v7 to v8 so .NET Core would be fine. If it weren't fine then you'd expect to see v6 of the binary impacted by the vulnerability as well.

Share via

Affected .net versions by CVE-2024-0057

0 additional answers

Your answer