Affected .net versions by CVE-2024-0057

Matěj Prášek 20

Hello, I am concerned about CVE-2024-0057 and would like to know if .NET Core is affected. I have checked the security advisory here and can see that all supported versions of .NET (.NET 6 through .NET 8) are impacted. However, I am specifically interested in older, non-supported versions. Since our release and deployment process makes it difficult to update already deployed systems to the latest .NET version, I want to know if .NET Core is affected too given that it is the predecessor to .NET 5 and later. Or is the vulnerability only introduced in .NET 5/.NET 6? Thank you.

Jiale Xue - MSFT 35,556 Reputation points Microsoft Vendor

2024-02-26T06:47:07.1433333+00:00

Hi @Matěj Prášek , Welcome to Microsoft Q&A, In the .NET, only WindowsDesktop shared runtime containing a income box component that uses X.509 chain to generate the X.509 chain. Other project types (such as web applications) are not affected by this vulnerability, unless they are displayed in a form of vulnerability to build the X.509 chain to build the API itself, or they use the external bag that represents them performing this operation. Do you use X.509?
Matěj Prášek 20 Reputation points

2024-02-27T12:21:37.6666667+00:00

Hi @Jiale Xue - MSFT , thanks for your comment. Let me give you some background about our company. We produce a video management software that consists of a number of Windows servers installed on-premise. We provide support for all versions released in past 3 years, thus the question regarding .NET Core. We do use X.509 to retrieve and store certificates and to create self-signed certificates. We do not generate any certificate chains. If I understand correctly, the vulnerability is tied to creating X.509 chains by our application. If that is the case, we should not be affected. Can you please confirm that there is no misunderstanding between us?
Jiale Xue - MSFT 35,556 Reputation points Microsoft Vendor

2024-02-29T09:11:18.3966667+00:00

Hi @Matěj Prášek, You may need to consult a more professional person, I can't give you a guarantee. You can go directly to the issue under this link to ask.

Accepted answer

Michael Taylor 49,166 Reputation points

2024-02-23T16:19:34.8266667+00:00

Without knowing what the actual vulnerable code is it is hard to say. However looking at the link it says that System.Security.Cryptography.X509Certificates.dll <= 6.0.125 are impacted. That would lead me to believe that this impacts all versions prior to v6 as well, so yes you are vulnerable.

However System.Security.Cryptography.dll is only for v7 to v8 so .NET Core would be fine. If it weren't fine then you'd expect to see v6 of the binary impacted by the vulnerability as well.
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Share via

Affected .net versions by CVE-2024-0057

0 additional answers