Details of VAR-201807-1618

ID

VAR-201807-1618

CVE

CVE-2018-8356

TITLE

plural Microsoft Vulnerabilities that bypass security functions in products

Trust: 0.8

sources: JVNDB: JVNDB-2018-007178

DESCRIPTION

A security feature bypass vulnerability exists when Microsoft .NET Framework components do not correctly validate certificates, aka ".NET Framework Security Feature Bypass Vulnerability." This affects .NET Framework 4.7.2, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, ASP.NET Core 1.1, Microsoft .NET Framework 4.5.2, ASP.NET Core 2.0, ASP.NET Core 1.0, .NET Core 1.1, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, .NET Core 1.0, .NET Core 2.0, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.2. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions. This may aid in further attacks. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ******************************************************************** Title: Microsoft Security Update Releases Issued: July 19, 2018 ******************************************************************** Summary ======= The following CVEs have undergone a major revision increment: * CVE-2018-8202 * CVE-2018-8260 * CVE-2018-8284 * CVE-2018-8356 Revision Information: ===================== - https://portal.msrc.microsoft.com/en-us/security-guidance - Reason for Revision: To address a known issue in the security updates released on July 10, Microsoft is releasing Cumulative Update packages for all supported editions of Windows 10. These packages are available via Microsoft Update catalog, WSUS, or by manually searching Windows Update. Customers who are experiencing issues after installing the July Windows security updates should install the replacement packages as applicable. Please refer to the Affected Products table for the replacement package KB numbers. Customers who have successfully installed the security updates and who are not experiencing any issues do not need to take any action. - Originally posted: July 10, 2018 - Updated: July 19, 2018 - Aggregate CVE Severity Rating: Important - Version: 2.0 The following CVEs have undergone a major revision increment: * CVE-2018-0949 * CVE-2018-8242 * CVE-2018-8287 * CVE-2018-8288 * CVE-2018-8291 * CVE-2018-8296 Revision Information: ===================== - https://portal.msrc.microsoft.com/en-us/security-guidance - Reason for Revision: To address a known issue in the security updates released on July 10, Microsoft is releasing Cumulative Update packages for Windows 10, and Standalone and Preview Rollup packages for all other supported editions of Windows. These packages are available via Microsoft Update catalog, WSUS, or by manually searching Windows Update. Customers who are experiencing issues after installing the July Windows security updates should install the replacement packages as applicable. Note that the IE Cumulative updates are not affected. Please refer to the Affected Products table for the replacement package KB numbers. Customers who have successfully installed the security updates and who are not experiencing any issues do not need to take any action. - Originally posted: July 10, 2018 - Updated: July 19, 2018 - Aggregate CVE Severity Rating: Important - Version: 2.0 The following CVEs have undergone a major revision increment: * CVE-2018-8125 * CVE-2018-8279 * CVE-2018-8301 * CVE-2018-8206 * CVE-2018-8280 * CVE-2018-8304 * CVE-2018-8222 * CVE-2018-8282 * CVE-2018-8307 * CVE-2018-8262 * CVE-2018-8286 * CVE-2018-8308 * CVE-2018-8274 * CVE-2018-8289 * CVE-2018-8309 * CVE-2018-8275 * CVE-2018-8290 * CVE-2018-8313 * CVE-2018-8276 * CVE-2018-8294 * CVE-2018-8314 * CVE-2018-8278 * CVE-2018-8297 * CVE-2018-8324 * CVE-2018-8325 Revision Information: ===================== - https://portal.msrc.microsoft.com/en-us/security-guidance - Reason for Revision: To address a known issue in the security updates released on July 10, Microsoft is releasing Cumulative Update packages for Windows 10, and Standalone and Preview Rollup packages for all other supported editions of Windows. These packages are available via Microsoft Update catalog, WSUS, or by manually searching Windows Update. Customers who are experiencing issues after installing the July Windows security updates should install the replacement packages as applicable. Please refer to the Affected Products table for the replacement package KB numbers. Customers who have successfully installed the security updates and who are not experiencing any issues do not need to take any action. - Originally posted: July 10, 2018 - Updated: July 19, 2018 - Aggregate CVE Severity Rating: Critical - Version: 2.0 The following CVE has undergone a major revision increment: * CVE-2018-8356 Revision Information: ===================== - https://portal.msrc.microsoft.com/en-us/security-guidance - Reason for Revision: Revised the Affected Products table to include PowerShell Core 6.0 and PowerShell Core 6.1 because these products are affected by CVE-2018-9356. See https://github.com/PowerShell/Announcements/issues/6 for more information. - Originally posted: July 10, 2018 - Updated: July 19, 2018 - Aggregate CVE Severity Rating: Important - Version: 3.0 Other Information ================= Recognize and avoid fraudulent email to Microsoft customers: ============================================================= If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites. Microsoft does not distribute security updates via email. The Microsoft Security Response Center (MSRC) uses PGP to digitally sign all security notifications. However, PGP is not required for reading security notifications, reading security bulletins, or installing security updates. You can obtain the MSRC public PGP key at <https://technet.microsoft.com/security/dn753714>. ******************************************************************** THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************** Microsoft respects your privacy. Please read our online Privacy Statement at <http://go.microsoft.com/fwlink/?LinkId=81184>. If you would prefer not to receive future technical security notification alerts by email from Microsoft and its family of companies please visit the following website to unsubscribe: <https://profile.microsoft.com/RegSysProfileCenter/subscriptionwizar d.aspx?wizid=5a2a311b-5189-4c9b-9f1a-d5e913a26c2e&%3blcid=1033>. These settings will not affect any newsletters youave requested or any mandatory service communications that are considered part of certain Microsoft services. For legal Information, see: <http://www.microsoft.com/info/legalinfo/default.mspx>. This newsletter was sent by: Microsoft Corporation 1 Microsoft Way Redmond, Washington, USA 98052 -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEELe29pj1Ogz+2MnKbEEiO2re18ugFAltRJ4QACgkQEEiO2re1 8uhBGRAAqV/EWkEhrEVrYfOPJe0fzDxFKVu8PespooUpb+/xYFKj0RvyGPBwWkK0 7lGixsk0HDH/VGRevfEPWBUMEDyPp7yudESs7K/Almv0X5Tq9EXa8xsoLOfWmUsF +8OjbFDlsgmJDnsOvrELRAul7bjJDvte3q0jB8QsDIhaMWDOkvKuFfB6M8KwLEJg BeKY/Mudn4BbDxxpMBq72kDCNy6WQar9igbZMS0xu2sDSuTLzqC7qfUg9jseqwhx 5uKJWSKrgCcJ73erJnZRvb1LAglhxD1NGoFdQP36EiIkccOB6kIYv33hpDNd6jf1 S0N8nJVYiUQVqg4ITBtQch5ws6fxXfTIUh7m+oQ4pxvLBbw5QLScub0/AV6ucSaD 9Ace1QwDaOJP+D8aA/+mdmTwr9SvLspNDOm9HkNu10ktRRDyu8PMPf3XGoCAQ1n9 XGtin526zCPy68yFG4BqzN2XSQfft97pwwgcG0KYRV3kB7tbswrtJWOOFbVXvLUl Yd9yvpMql7qfH6p+6f8hS+LG41EEDTqCVEaMT8HTSjld+W36AP2WqlWuSXG9YRBf yhulJ6nF3lbiG1h4pZkY5vrGjvFcfbN4YhSA+FepEolJAnWOtZBg9lswNSuIse3G lvBVHDiKdzpX3ey1qri1czIaC/r46OKW6YuAr4nzhoJKwdfpS34= =b7n1 -----END PGP SIGNATURE-----

Trust: 1.98

sources: NVD: CVE-2018-8356 // JVNDB: JVNDB-2018-007178 // BID: 104664 // PACKETSTORM: 148630

AFFECTED PRODUCTS

vendor:	microsoft	model:	.net framework	scope:	eq	version:	3.5	Trust: 2.4
vendor:	microsoft	model:	.net framework	scope:	eq	version:	3.5.1	Trust: 2.4
vendor:	microsoft	model:	.net framework	scope:	eq	version:	4.5.2	Trust: 2.4
vendor:	microsoft	model:	.net framework	scope:	eq	version:	4.6	Trust: 2.4
vendor:	microsoft	model:	.net framework	scope:	eq	version:	4.6.1	Trust: 2.4
vendor:	microsoft	model:	.net framework	scope:	eq	version:	4.6.2	Trust: 2.4
vendor:	microsoft	model:	.net framework	scope:	eq	version:	4.7	Trust: 2.4
vendor:	microsoft	model:	.net framework	scope:	eq	version:	4.7.1	Trust: 2.4
vendor:	microsoft	model:	.net framework	scope:	eq	version:	4.7.2	Trust: 2.4
vendor:	microsoft	model:	.net core	scope:	eq	version:	1.0	Trust: 1.8
vendor:	microsoft	model:	.net core	scope:	eq	version:	1.1	Trust: 1.8
vendor:	microsoft	model:	.net core	scope:	eq	version:	2.0	Trust: 1.8
vendor:	microsoft	model:	.net framework developer pack	scope:	eq	version:	4.7.2	Trust: 1.8
vendor:	microsoft	model:	asp.net core	scope:	eq	version:	1.0	Trust: 1.8
vendor:	microsoft	model:	asp.net core	scope:	eq	version:	1.1	Trust: 1.8
vendor:	microsoft	model:	asp.net core	scope:	eq	version:	2.0	Trust: 1.8
vendor:	microsoft	model:	powershell core	scope:	eq	version:	6.0	Trust: 1.8
vendor:	microsoft	model:	powershell core	scope:	eq	version:	6.1	Trust: 1.8
vendor:	microsoft	model:	.net framework	scope:	eq	version:	3.0	Trust: 1.6
vendor:	microsoft	model:	.net framework	scope:	eq	version:	3.0 sp2	Trust: 0.8

sources: JVNDB: JVNDB-2018-007178 // CNNVD: CNNVD-201807-831 // NVD: CVE-2018-8356

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-8356
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2018-8356
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201807-831
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2018-8356
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:N/I:P/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2018-8356
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	HIGH
availabilityImpact:	NONE
exploitabilityScore:	1.8
impactScore:	3.6
version:	3.0
Trust: 1.8

sources: JVNDB: JVNDB-2018-007178 // CNNVD: CNNVD-201807-831 // NVD: CVE-2018-8356

PROBLEMTYPE DATA

problemtype:

CWE-295

Trust: 1.8

sources: JVNDB: JVNDB-2018-007178 // NVD: CVE-2018-8356

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201807-831

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-201807-831

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-007178

PATCH

title:	CVE-2018-8356 \| .NET Framework Security Feature Bypass Vulnerability	url:	https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8356	Trust: 0.8
title:	CVE-2018-8356 \| .NET Framework のセキュリティ機能のバイパスの脆弱性	url:	https://portal.msrc.microsoft.com/ja-jp/security-guidance/advisory/CVE-2018-8356	Trust: 0.8
title:	Microsoft .NET Framework Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=81895	Trust: 0.6

sources: JVNDB: JVNDB-2018-007178 // CNNVD: CNNVD-201807-831

EXTERNAL IDS

db:	NVD	id:	CVE-2018-8356	Trust: 2.5
db:	BID	id:	104664	Trust: 1.9
db:	SECTRACK	id:	1041257	Trust: 1.6
db:	JVNDB	id:	JVNDB-2018-007178	Trust: 0.8
db:	CNNVD	id:	CNNVD-201807-831	Trust: 0.6
db:	PACKETSTORM	id:	148630	Trust: 0.1

sources: BID: 104664 // JVNDB: JVNDB-2018-007178 // PACKETSTORM: 148630 // CNNVD: CNNVD-201807-831 // NVD: CVE-2018-8356

REFERENCES

url:	https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/cve-2018-8356	Trust: 1.6
url:	http://www.securitytracker.com/id/1041257	Trust: 1.6
url:	http://www.securityfocus.com/bid/104664	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8356	Trust: 0.9
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8356	Trust: 0.8
url:	https://www.ipa.go.jp/security/ciadr/vul/20180711-ms.html	Trust: 0.8
url:	http://www.jpcert.or.jp/at/2018/at180028.html	Trust: 0.8
url:	http://www.microsoft.com/info/legalinfo/default.mspx>.	Trust: 0.1
url:	http://go.microsoft.com/fwlink/?linkid=81184>.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8260	Trust: 0.1
url:	https://portal.msrc.microsoft.com/en-us/security-guidance	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8202	Trust: 0.1
url:	https://github.com/powershell/announcements/issues/6	Trust: 0.1
url:	https://technet.microsoft.com/security/dn753714>.	Trust: 0.1
url:	https://profile.microsoft.com/regsysprofilecenter/subscriptionwizar	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2018-8284	Trust: 0.1

sources: JVNDB: JVNDB-2018-007178 // PACKETSTORM: 148630 // CNNVD: CNNVD-201807-831 // NVD: CVE-2018-8356

SOURCES

db:	BID	id:	104664
db:	JVNDB	id:	JVNDB-2018-007178
db:	PACKETSTORM	id:	148630
db:	CNNVD	id:	CNNVD-201807-831
db:	NVD	id:	CVE-2018-8356

LAST UPDATE DATE

2024-08-14T13:45:42.649000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2018-007178	date:	2018-09-11T00:00:00
db:	CNNVD	id:	CNNVD-201807-831	date:	2022-05-24T00:00:00
db:	NVD	id:	CVE-2018-8356	date:	2022-05-23T17:29:15.873

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2018-007178	date:	2018-09-11T00:00:00
db:	PACKETSTORM	id:	148630	date:	2018-07-20T08:22:22
db:	CNNVD	id:	CNNVD-201807-831	date:	2018-07-11T00:00:00
db:	NVD	id:	CVE-2018-8356	date:	2018-07-11T00:29:02.587