Microsoft Security Advisory CVE-2021-41355 | .NET Core Information Disclosure Vulnerability #60301
Comments
|
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label. |
dotnet-issue-labeler
bot
added
the
untriaged
danmoseley
added
area-System.DirectoryServices
and removed
untriaged
|
Tagging subscribers to this area: @jay98014 Issue DetailsMicrosoft Security Advisory CVE-2021-41355 | .NET Core Information Disclosure VulnerabilityExecutive summaryMicrosoft is releasing this security advisory to provide information about a vulnerability in .NET. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A Information Disclosure vulnerability exists in .NET where System.DirectoryServices.Protocols.LdapConnection may send credentials in plain text on Linux. AnnouncementAnnouncement for this issue can be found at dotnet/announcements#202 Mitigation factorsMicrosoft has not identified any mitigating factors for this vulnerability. Affected softwareAny .NET application that uses
How do I know if I am affected?If you are using a package version listed in affected software, you're exposed to the vulnerability. How do I fix the issue?To fix the issue, please update to the latest version of the affected software. Other InformationReporting Security IssuesIf you have found a potential security issue in .NET, please email details to [email protected]. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty. SupportYou can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue. DisclaimerThe information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. External LinksRevisionsV1.0 (October 12, 2021): Advisory published. Version 1.0 Last Updated 2021-10-12
|
|
is it intended that updating from 5.0.0 to 5.0.1 results in this exception inside a Linux-container? We are currently still using LDAP and not LDAPS. We know, we should move to LDAPS soon anyway, but I don't think a breaking change like this should be rolled out as a patch-Version. |
|
@FelixSFD It looks like they added a switch to get the old behavior back: System.DirectoryServices.Protocols.UseBasicAuthFallback I think you can enable it from runtimeConfig.json by adding This should re-enable the old insecure behavior - but it you were only using LDAP basic authentication over an unencrypted connection anyways then you are leaking the credentials in plain text no matter what you do. (I haven't tested this, this is just from looking at the source) |
|
Hello @FelixSFD, yes the reason why you are seeing this is because during this servicing we also fix another issue where the AuthType was a) incorrectly being defaulted to Basic and b) ignored if you would set it to anything other than basic. The fix for that was to change the default to match both Windows and the underlying native libraries, which is AythType.Negotiate. We did add that app context switch in case you couldn’t recompile the code and were broken due to this change, but if you do have the capacity to change the code, the fix is to set the connection’s AuthType to Basic explicitly. Apologies for the inconvenience and do let us know if that doesn’t work for you. |
@poizan42 this is not entirely true. Even when using basic credentials, you can still opt to call |
|
@poizan42 @joperezr Thank you! :-) Setting I also tried to use However, our domain controller is quite old and I'm not even sure what authentication types are enabled. So this might be an issue with our local configuration. We'll use the workaround for now and plan to switch to LDAPS when we upgrade to .NET 6.0 later this year. Just out of couriosity: Is there any way to view detailed changelogs of the .NET libraries? I couldn't find any list of things that were changed in 5.0.1 except this Security Advisory and this list without much detail. |
joperezr
moved this from Untriaged
to Needs Consultation
in Triage POD for Reflection, META, etc.
|
Does this issue affect .NET Core 3.1? The System.DirectoryServices.Protocols's version is 4.7.0. |
|
It does not. This only affects Linux implementation, which only shipped starting from the package 5.0, so 4.7.0 doesn't even support Linux yet. The only affected package here is 5.0.0 |
|
Hi @joperezr, Thank you for your reply. Thanks, |
|
Good point, that seems to be a bug in our docs, since the CVE also mentions that all 5.0.0 or lower versions are affected, which is not true. cc @rbhanda is that something you can help fix here? |
|
I have updated the security advisory patches table affected version to "5.0.0" from "5.0.0 or lower" but the package affected version was always 5.0.0. I am not sure how https://www.nuget.org/packages/System.DirectoryServices.Protocols/4.7.0 got updated. |
|
Are there any plans to patch this in the .NET 5 line of the package |
|
@anjbur I don't have info about this change, but note that 5.0 is out of support very soon: on May 8th. Can you update to 6.0? |
|
@anjbur you only get the warning because |
|
@danmoseley @joperezr We are in the process of updating to 6.0, but were looking to resolve this security alert in the meantime. We can certainly add the explicit reference to |
github-project-automation
bot
moved this from Needs Consultation
to Done
in Triage POD for Reflection, META, etc.
ghost
locked as resolved and limited conversation to collaborators
Microsoft Security Advisory CVE-2021-41355 | .NET Core Information Disclosure Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
An Information Disclosure vulnerability exists in .NET where System.DirectoryServices.Protocols.LdapConnection may send credentials in plain text on Linux and macOS.
Announcement
Announcement for this issue can be found at dotnet/announcements#202
Mitigation factors
Microsoft has not identified any mitigating factors for this vulnerability.
Affected software
Any .NET application that uses
System.DirectoryServices.Protocolswith a vulnerable version listed below on system based on Linux.How do I know if I am affected?
If you are using a package version listed in affected software, you're exposed to the vulnerability.
How do I fix the issue?
To fix the issue, please update to the latest version of the affected software.
Other Information
Reporting Security Issues
If you have found a potential security issue in .NET, please email details to [email protected]. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.
Support
You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime and https://github.com/dotnet/aspnet/. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
External Links
CVE-2021-41355
Revisions
V1.0 (October 12, 2021): Advisory published.
Version 1.0
Last Updated 2021-10-12
The text was updated successfully, but these errors were encountered: