CVE-2018-8356
Description
A security feature bypass vulnerability exists when Microsoft .NET Framework components do not correctly validate certificates, aka ".NET Framework Security Feature Bypass Vulnerability." This affects .NET Framework 4.7.2, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, ASP.NET Core 1.1, Microsoft .NET Framework 4.5.2, ASP.NET Core 2.0, ASP.NET Core 1.0, .NET Core 1.1, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, .NET Core 1.0, .NET Core 2.0, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
.NET Framework certificate validation flaw allows expired certificates to be accepted, bypassing a security feature.
Vulnerability
A security feature bypass vulnerability exists in several .NET Framework, .NET Core, and ASP.NET Core components when they fail to correctly validate certificates [1][2]. The issue affects Windows Communication Foundation (WCF) packages including System.Private.ServiceModel versions 4.0.0 through 4.5.1, as well as related packages like System.ServiceModel.Http, System.ServiceModel.NetTcp, and others [2]. The flaw is present in a wide range of .NET Framework versions including 3.0, 3.5, 3.5.1, 4.5.2, 4.6.x, 4.7.x, and .NET Core 1.0, 1.1, 2.0, and ASP.NET Core 1.0, 1.1, 2.0 [1][3].
Exploitation
An attacker can exploit this vulnerability by presenting an expired certificate during a TLS or certificate-based authentication handshake [2]. The affected .NET components will incorrectly accept the expired certificate, bypassing the intended security check. The attack requires network-level access to the application and the ability to serve or inject an expired certificate. No special privileges are needed beyond the ability to initiate a connection to a vulnerable service [2]. The vulnerable code path is triggered when an application uses Windows Communication Foundation (WCF) with affected package versions [2].
Impact
Successful exploitation allows an attacker to bypass certificate validation, enabling the use of expired certificates that should be rejected [1][2]. This can lead to a false sense of security, as the system reports a successful validation when it should have failed. The attacker can potentially impersonate a legitimate service or intercept encrypted communications if other security mechanisms are also weakened, although the primary impact is a security feature bypass [2].
Mitigation
Microsoft released updated packages to fix this vulnerability [2]. Users should upgrade to secure versions: for System.Private.ServiceModel update to 4.1.3, 4.3.3, 4.4.4, or 4.5.3 or later, and similarly for all affected WCF packages as listed in the advisory [2]. Applications that do not use Windows Communication Foundation are not affected [2]. No workaround other than updating the affected packages is available. The fix was included in .NET Core updates starting July 10, 2018 [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
System.Private.ServiceModelNuGet | >= 4.0.0, < 4.1.3 | 4.1.3 |
System.Private.ServiceModelNuGet | >= 4.3.0, < 4.3.3 | 4.3.3 |
System.Private.ServiceModelNuGet | >= 4.4.0, < 4.4.4 | 4.4.4 |
System.Private.ServiceModelNuGet | >= 4.5.0, < 4.5.3 | 4.5.3 |
System.ServiceModel.DuplexNuGet | >= 4.3.0, < 4.3.3 | 4.3.3 |
System.ServiceModel.DuplexNuGet | >= 4.4.0, < 4.4.4 | 4.4.4 |
System.ServiceModel.DuplexNuGet | >= 4.5.0, < 4.5.3 | 4.5.3 |
System.ServiceModel.DuplexNuGet | >= 4.0.0, < 4.0.4 | 4.0.4 |
System.ServiceModel.HttpNuGet | >= 4.3.0, < 4.3.3 | 4.3.3 |
System.ServiceModel.HttpNuGet | >= 4.4.0, < 4.4.4 | 4.4.4 |
System.ServiceModel.HttpNuGet | >= 4.5.0, < 4.5.3 | 4.5.3 |
System.ServiceModel.HttpNuGet | >= 4.0.0, < 4.1.3 | 4.1.3 |
System.ServiceModel.NetTcpNuGet | >= 4.3.0, < 4.3.3 | 4.3.3 |
System.ServiceModel.NetTcpNuGet | >= 4.4.0, < 4.4.4 | 4.4.4 |
System.ServiceModel.NetTcpNuGet | >= 4.5.0, < 4.5.3 | 4.5.3 |
System.ServiceModel.NetTcpNuGet | >= 4.0.0, < 4.1.3 | 4.1.3 |
System.ServiceModel.PrimitivesNuGet | >= 4.3.0, < 4.3.3 | 4.3.3 |
System.ServiceModel.PrimitivesNuGet | >= 4.4.0, < 4.4.4 | 4.4.4 |
System.ServiceModel.PrimitivesNuGet | >= 4.5.0, < 4.5.3 | 4.5.3 |
System.ServiceModel.PrimitivesNuGet | >= 4.0.0, < 4.1.3 | 4.1.3 |
System.ServiceModel.SecurityNuGet | >= 4.3.0, < 4.3.3 | 4.3.3 |
System.ServiceModel.SecurityNuGet | >= 4.4.0, < 4.4.4 | 4.4.4 |
System.ServiceModel.SecurityNuGet | >= 4.5.0, < 4.5.3 | 4.5.3 |
System.ServiceModel.SecurityNuGet | >= 4.0.0, < 4.0.4 | 4.0.4 |
Affected products
13- Range: 1.0
3.0+ 1 more
- (no CPE)range: 3.0
- (no CPE)range: 4.7.2 Developer Pack
- ghsa-coords6 versionspkg:nuget/system.private.servicemodelpkg:nuget/system.servicemodel.duplexpkg:nuget/system.servicemodel.httppkg:nuget/system.servicemodel.nettcppkg:nuget/system.servicemodel.primitivespkg:nuget/system.servicemodel.security
>= 4.0.0, < 4.1.3+ 5 more
- (no CPE)range: >= 4.0.0, < 4.1.3
- (no CPE)range: >= 4.3.0, < 4.3.3
- (no CPE)range: >= 4.3.0, < 4.3.3
- (no CPE)range: >= 4.3.0, < 4.3.3
- (no CPE)range: >= 4.3.0, < 4.3.3
- (no CPE)range: >= 4.3.0, < 4.3.3
- Range: 3.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2
- Range: 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-p9wx-v264-q34pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-8356ghsaADVISORY
- www.securityfocus.com/bid/104664mitrevdb-entryx_refsource_BID
- www.securitytracker.com/id/1041257mitrevdb-entryx_refsource_SECTRACK
- github.com/dotnet/announcements/issues/73ghsaWEB
- github.com/github/advisory-database/issues/302ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8356ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.