.NET and Visual Studio Remote Code Execution Vulnerability

Vulnerability

Overview

CVE-2024-35264 is a use-after-free vulnerability (CWE-416) in the ASP.NET Core Kestrel web server's HTTP/3 implementation [1][3]. The flaw occurs when memory is freed but later referenced incorrectly, leading to data corruption that an attacker can exploit for remote code execution [1]. The vulnerability affects .NET 8.0 versions 8.0.0 through 8.0.6, as well as .NET 6.0 with HTTP/3 (which was experimental in that version) [1][3].

Exploitation and

Attack Surface

An attacker can exploit this vulnerability by sending specially crafted HTTP/3 requests to a vulnerable ASP.NET Core application running on Kestrel [1]. No authentication is required, and the attack can be performed remotely over the network, as the HTTP/3 protocol uses QUIC/UDP transport [1]. The prerequisite is that the application has HTTP/3 enabled and is running an affected version of the runtime or packages [1][3].

Impact

Successful exploitation results in data corruption that can potentially lead to remote code execution (RCE) in the context of the application [1][3]. This means an attacker could gain the ability to run arbitrary code, potentially taking full control of the application and underlying server, depending on the application's privileges.

Mitigation

Microsoft has released patched versions of the affected packages in .NET 8.0.7 and .NET 6.0.37 [1][3]. Developers should update their applications to the latest versions of the Microsoft.AspNetCore.App.Runtime packages or the .NET SDK/runtime [1]. There are no known workarounds, and Microsoft has not identified any mitigating factors for this vulnerability [1].