Visual Studio Denial of Service Vulnerability

Vulnerability

Overview

CVE-2024-30046 is a denial-of-service (DoS) vulnerability in the ASP.NET Core Kestrel web server, affecting applications built with .NET 7.0 and .NET 8.0. The flaw exists in the Microsoft.AspNetCore.Server.Kestrel.Core.dll component, where a specific concurrency condition can lead to a deadlock [1][2]. This means that under certain network conditions, the server’s request-processing pipeline becomes permanently blocked, preventing it from handling new or existing connections.

Exploitation

Conditions

An unauthenticated remote attacker can exploit this vulnerability without any special privileges or user interaction. The attack vector is over the network, leveraging HTTP/2 multiplexed streams to trigger the deadlock in the Kestrel core [1][3]. Because Kestrel is the default web server for ASP.NET Core, a wide range of web applications, APIs, and services are potentially exposed. The vulnerability affects any .NET 7.0 application running version 7.0.18 or earlier, and any .NET 8.0 application on version 8.0.4 or earlier [1][2].

Impact

Successful exploitation results in a prolonged denial of service. The deadlock causes the Kestrel server to stop responding to client requests, effectively taking the affected application offline. This can disrupt service availability for users and dependent systems. Microsoft has stated that no mitigating factors or workarounds exist beyond applying the security update [1][3].

Mitigation

Status

Microsoft has released patches for both .NET 7.0 (update 7.0.19) and .NET 8.0 (update 8.0.5) through the affected NuGet packages, such as Microsoft.AspNetCore.App.Runtime.* [1][2][3]. Developers should update their projects to the patched versions immediately. There is no indication that this vulnerability has been added to the Known Exploited Vulnerabilities (KEV) catalog at the time of publication, but given the ease of remote exploitation, prompt patching is strongly recommended.