.NET Framework July 2019 Security and Quality Rollup

Today, we are releasing the July 2019 Cumulative Update, Security and Quality Rollup, and Security Only Update for .NET Framework.

Security

CVE-2019-1006 – WCF/WIF SAML Token Authentication Bypass Vulnerability

An authentication bypass vulnerability exists in Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF), allowing signing of SAML tokens with arbitrary symmetric keys. This vulnerability allows an attacker to impersonate another user, which can lead to elevation of privileges. The vulnerability exists in WCF, WIF 3.5 and above in .NET Framework, WIF 1.0 component in Windows, WIF Nuget package, and WIF implementation in SharePoint. An unauthenticated attacker can exploit this by signing a SAML token with any arbitrary symmetric key.

This security update addresses the issue by ensuring all versions of WCF and WIF validate the key used to sign SAML tokens correctly.

CVE-2019-1006

CVE-2019-1083 – .NET Denial of Service Vulnerability

A denial of service vulnerability exists when Microsoft Common Object Runtime Library improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET application.

The update addresses the vulnerability by correcting how the .NET web application handles web requests.

CVE-2019-1083

CVE-2019-1113 – .NET Framework Remote Code Execution Vulnerability

A remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of .NET Framework. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.

The security update addresses the vulnerability by correcting how .NET Framework checks the source markup of a file.

CVE-2019-1113

Getting the Update

The Cumulative Update and Security and Quality Rollup are available via Windows Update, Windows Server Update Services, Microsoft Update Catalog, and Docker.  The Security Only Update is available via Windows Server Update Services and Microsoft Update Catalog.

Microsoft Update Catalog

You can get the update via the Microsoft Update Catalog. For Windows 10, NET Framework 4.8 updates are available via Windows Update, Windows Server Update Services, Microsoft Update Catalog.  Updates for other versions of .NET Framework are part of the Windows 10 Monthly Cumulative Update.

The following table is for Windows 10 and Windows Server 2016+ versions.

The following table is for earlier Windows and Windows Server versions.

Docker Images

We will be updating the following .NET Framework container images later today:

• microsoft-dotnet-framework-sdk
• microsoft-dotnet-framework-aspnet
• microsoft-dotnet-framework-runtime
• microsoft-dotnet-framework-wcf
• microsoft-dotnet-framework-samples

Note: You must re-pull base images in order to get updates. The Docker client does not pull updates automatically.

Previous Monthly Rollups

The last few .NET Framework Monthly updates are listed below for your convenience:

• June Cumulative Update for Windows 10 version 1903
• June 2019 Preview of Quality Rollup
• May 2019 Security and Quality Rollup

The post .NET Framework July 2019 Security and Quality Rollup appeared first on .NET Blog.