Advisory Type: IT Security
Severity: High
Summary: PDS is providing the following communication to build awareness of high vulnerability in Microsoft .NET Core
On July 8, 2021, Microsoft released security updates that included a patch for CVE-2021-26701, a remote code execution (RCE) vulnerability in .NET Core, a general-purpose software development framework. With .NET Core being used to build many different applications, it is commonly found on many Windows systems, and extends to being a component of PowerShell Core & Microsoft Visual Studio.
While the vulnerability was patched on February 9, 2021, Microsoft released a new advisory from their Azure website on July 1, 2021, urging organizations to update older versions of PowerShell Core that contained this vulnerability. We have assessed this new update from Microsoft as a significant development, as it comes 5 months after a patch was released and suggests that there is an increased risk of systems remaining unpatched against CVE-2021-26701.
Microsoft’s advisory on CVE-2021-26701 indicates that the vulnerability has been “publicly disclosed”, suggesting that technical details have made their way into the public domain. With the renewed attention around CVE-2021-26701, it is our assessment that the likelihood of exploit code being developed for this vulnerability has increased.
Recommendations
#1 Identify Systems Vulnerable to CVE-2021-26701
Primary recommendation is to patch systems against CVE-2021-26701 in your environment as soon as possible.
It is recommended that you execute another Host-Based Vulnerability Scan of these assets after applying the patch in step #2 to validate that the vulnerability has been successfully mitigated.
#2 Follow Microsoft’s Guidance to Apply Patch For CVE-2021-26701
Review Microsoft’s advisory here to determine the appropriate security update to apply to your affected system(s): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26701
Technical Analysis
What is CVE-2021-26701?
CVE-2021-26701 is a remote code execution vulnerability that exists in .NET 5 and .NET Core due to how text encoding is performed. The vulnerable package within .NET is System.Text.Encodings.Web
Vulnerable package versions:
Any .NET 5, .NET Core, or .NET Framework based application that uses the System.Text.Encodings.Web package with a vulnerable version listed below.
What Systems are Affected by this Vulnerability?
Systems with any of the following .NET versions/Components installed are vulnerable to CVE-2021-26701:
- PowerShell Core 7.0
- PowerShell Core 7.1
- Microsoft Visual Studio 2019
- Version 16.9 (includes 16.0 – 16.8)
- Version 16.8 (includes 16.0 – 16.7)
- Version 16.7 (includes 16.0 – 16.6)
- Version 16.4 (includes 16.0 – 16.3)
- Microsoft Visual Studio 2017 version 15.9 (includes 15.0 – 15.8)
- Visual Studio 2019 for Mac
- .NET 5.0
- .NET Core 3.1
- .NET Core 2.1
What is the Severity Level of this Vulnerability?
Microsoft has assigned CVE-2021-26701 a CVSS score of 8.1, making it a high severity vulnerability.
What are the Likely Attack Scenarios Involving this Vulnerability?
At this time, Microsoft has not provided sufficient technical details for us to determine the exact attack scenarios involving this vulnerability. With the high severity rating of the vulnerability, we believe that a likely attack scenario would involve systems running applications built on .NET that are remotely accessible to an attacker.
References
1. Microsoft Advisory for CVE-2021-26701: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26701
2. Microsoft July 1 Advisory: https://azure.microsoft.com/en-us/updates/update-powershell-versions-70-and-71-to-protect-against-a-vulnerability/
We strongly advise customers to review the Microsoft Advisory and manage their environments accordingly. PDS Architects are available to assist, your Account Director can assist in arranging for support.
