ID

VAR-201801-1128


CVE

CVE-2018-0786


TITLE

Microsoft .NET Framework and .NET Core Vulnerabilities that bypass security functions

Trust: 0.8

sources: JVNDB: JVNDB-2018-001239

DESCRIPTION

Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, .NET Core 1.0 and 2.0, and PowerShell Core 6.0.0 allow a security feature bypass vulnerability due to the way certificates are validated, aka ".NET Security Feature Bypass Vulnerability.". An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks

Trust: 1.89

sources: NVD: CVE-2018-0786 // JVNDB: JVNDB-2018-001239 // BID: 102380

AFFECTED PRODUCTS

vendor:microsoftmodel:.net frameworkscope:eqversion:4.6.2

Trust: 2.7

vendor:microsoftmodel:.net frameworkscope:eqversion:4.6.1

Trust: 2.7

vendor:microsoftmodel:.net frameworkscope:eqversion:3.5.1

Trust: 2.7

vendor:microsoftmodel:.net frameworkscope:eqversion:4.7

Trust: 2.7

vendor:microsoftmodel:.net frameworkscope:eqversion:4.6

Trust: 2.7

vendor:microsoftmodel:.net frameworkscope:eqversion:4.5.2

Trust: 2.7

vendor:microsoftmodel:.net frameworkscope:eqversion:3.5

Trust: 2.7

vendor:microsoftmodel:.net corescope:eqversion:1.0

Trust: 2.4

vendor:microsoftmodel:.net corescope:eqversion:2.0

Trust: 2.4

vendor:microsoftmodel:.net frameworkscope:eqversion:4.7.1

Trust: 2.4

vendor:microsoftmodel:.net frameworkscope:eqversion:2.0

Trust: 1.3

vendor:microsoftmodel:.net frameworkscope:eqversion:3.0

Trust: 1.0

vendor:microsoftmodel:powershell corescope:eqversion:6.0

Trust: 1.0

vendor:microsoftmodel:.net frameworkscope:eqversion:2.0 sp2

Trust: 0.8

vendor:microsoftmodel:.net frameworkscope:eqversion:3.0 sp2

Trust: 0.8

vendor:microsoftmodel:powershell corescope:eqversion:6.0.0

Trust: 0.8

vendor:microsoftmodel:windows serverscope:eqversion:20160

Trust: 0.3

vendor:microsoftmodel:windows server r2scope:eqversion:20120

Trust: 0.3

vendor:microsoftmodel:windows serverscope:eqversion:20120

Trust: 0.3

vendor:microsoftmodel:windows server r2 for x64-based systems sp1scope:eqversion:2008

Trust: 0.3

vendor:microsoftmodel:windows server r2 for itanium-based systems sp1scope:eqversion:2008

Trust: 0.3

vendor:microsoftmodel:windows server r2 datacenter sp1scope:eqversion:2008

Trust: 0.3

vendor:microsoftmodel:windows server for x64-based systems sp2scope:eqversion:2008

Trust: 0.3

vendor:microsoftmodel:windows server for itanium-based systems sp2scope:eqversion:2008

Trust: 0.3

vendor:microsoftmodel:windows server for 32-bit systems sp2scope:eqversion:2008

Trust: 0.3

vendor:microsoftmodel:windows rtscope:eqversion:8.1

Trust: 0.3

vendor:microsoftmodel:windows for x64-based systemsscope:eqversion:8.10

Trust: 0.3

vendor:microsoftmodel:windows for 32-bit systemsscope:eqversion:8.10

Trust: 0.3

vendor:microsoftmodel:windows for x64-based systems sp1scope:eqversion:7

Trust: 0.3

vendor:microsoftmodel:windows for 32-bit systems sp1scope:eqversion:7

Trust: 0.3

vendor:microsoftmodel:windows version for x64-based systemsscope:eqversion:1017030

Trust: 0.3

vendor:microsoftmodel:windows version for 32-bit systemsscope:eqversion:1017030

Trust: 0.3

vendor:microsoftmodel:windows version for x64-based systemsscope:eqversion:1016070

Trust: 0.3

vendor:microsoftmodel:windows version for 32-bit systemsscope:eqversion:1016070

Trust: 0.3

vendor:microsoftmodel:windows version for x64-based systemsscope:eqversion:1015110

Trust: 0.3

vendor:microsoftmodel:windows version for 32-bit systemsscope:eqversion:1015110

Trust: 0.3

vendor:microsoftmodel:windows for x64-based systemsscope:eqversion:100

Trust: 0.3

vendor:microsoftmodel:windows for 32-bit systemsscope:eqversion:100

Trust: 0.3

vendor:microsoftmodel:.net framework sp2scope:eqversion:3.0

Trust: 0.3

sources: BID: 102380 // JVNDB: JVNDB-2018-001239 // CNNVD: CNNVD-201801-404 // NVD: CVE-2018-0786

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-0786
value: HIGH

Trust: 1.0

NVD: CVE-2018-0786
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201801-404
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2018-0786
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2018-0786
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2018-001239 // CNNVD: CNNVD-201801-404 // NVD: CVE-2018-0786

PROBLEMTYPE DATA

problemtype:CWE-295

Trust: 1.0

problemtype:CWE-254

Trust: 0.8

sources: JVNDB: JVNDB-2018-001239 // NVD: CVE-2018-0786

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201801-404

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201801-404

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-001239

PATCH

title:CVE-2018-0786 | .NET Security Feature Bypass Vulnerabilityurl:https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0786

Trust: 0.8

title:CVE-2018-0786 | .NET のセキュリティ機能のバイパスの脆弱性url:https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/CVE-2018-0786

Trust: 0.8

title:Microsoft .NET Framework and .NET Core Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=77659

Trust: 0.6

sources: JVNDB: JVNDB-2018-001239 // CNNVD: CNNVD-201801-404

EXTERNAL IDS

db:NVDid:CVE-2018-0786

Trust: 2.7

db:BIDid:102380

Trust: 1.9

db:SECTRACKid:1040152

Trust: 1.6

db:JVNDBid:JVNDB-2018-001239

Trust: 0.8

db:CNNVDid:CNNVD-201801-404

Trust: 0.6

sources: BID: 102380 // JVNDB: JVNDB-2018-001239 // CNNVD: CNNVD-201801-404 // NVD: CVE-2018-0786

REFERENCES

url:http://www.securityfocus.com/bid/102380

Trust: 2.2

url:https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2018-0786

Trust: 1.9

url:http://www.securitytracker.com/id/1040152

Trust: 1.6

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-0786

Trust: 0.8

url:https://www.ipa.go.jp/security/ciadr/vul/20180110-ms.html

Trust: 0.8

url:http://www.jpcert.or.jp/at/2018/at180002.html

Trust: 0.8

url:https://nvd.nist.gov/vuln/detail/cve-2018-0786

Trust: 0.8

url:http://www.microsoft.com/net/

Trust: 0.3

url:http://www.microsoft.com

Trust: 0.3

sources: BID: 102380 // JVNDB: JVNDB-2018-001239 // CNNVD: CNNVD-201801-404 // NVD: CVE-2018-0786

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 102380

SOURCES

db:BIDid:102380
db:JVNDBid:JVNDB-2018-001239
db:CNNVDid:CNNVD-201801-404
db:NVDid:CVE-2018-0786

LAST UPDATE DATE

2024-08-14T14:51:44.983000+00:00


SOURCES UPDATE DATE

db:BIDid:102380date:2018-01-09T00:00:00
db:JVNDBid:JVNDB-2018-001239date:2018-02-02T00:00:00
db:CNNVDid:CNNVD-201801-404date:2019-10-23T00:00:00
db:NVDid:CVE-2018-0786date:2021-08-12T17:19:05.447

SOURCES RELEASE DATE

db:BIDid:102380date:2018-01-09T00:00:00
db:JVNDBid:JVNDB-2018-001239date:2018-02-02T00:00:00
db:CNNVDid:CNNVD-201801-404date:2018-01-11T00:00:00
db:NVDid:CVE-2018-0786date:2018-01-10T01:29:00.320