CVE-2020-1046: .NET Framework Remote Code Execution Vulnerability

Overview

Severity

N/A

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2020-Aug

Released

2020-08-11

EPSS Score

11.30% (percentile: 93.5%)

Description

A remote code execution vulnerability exists when Microsoft .NET Framework processes input. An attacker who successfully exploited this vulnerability could take control of an affected system. To exploit the vulnerability, an attacker would need to be able to upload a specially crafted file to a web application. The security update addresses the vulnerability by correcting how .NET Framework processes input.

FAQ

Why are there two Security Updates for Windows 10 version 1809 and Windows Server 2019? Both updates address this vulnerability in Microsoft .NET Framework 3.5. However, Windows 10 version 1809 or Windows Server 2019 has either .NET Framework 4.7.2 or .NET Framework 4.8 installed in addition to .NET Framework 3.5. The updates for these versions of .NET Framework are bundled in the same update as .NET Framework 3.5. Customers running Windows 10 version 1809 or Server 2019 need to install the update that applies to the 4.X version of .NET installed on their system.

Affected Products (44)

Developer Tools

• Microsoft .NET Framework 3.5 on Windows 10 Version 1909 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation)
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation)
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems
• Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2
• Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019
• Microsoft .NET Framework 3.5 on Windows 10 Version 1803 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems
• Microsoft .NET Framework 3.5 on Windows 10 Version 1803 for x64-based Systems
• Microsoft .NET Framework 3.5 on Windows 10 Version 1803 for ARM64-based Systems
• Microsoft .NET Framework 3.5 on Windows 10 Version 1903 for 32-bit Systems
• Microsoft .NET Framework 3.5 on Windows 10 Version 1903 for x64-based Systems
• Microsoft .NET Framework 3.5 on Windows 10 Version 1709 for ARM64-based Systems
• Microsoft .NET Framework 3.5 on Windows 10 Version 1903 for ARM64-based Systems
• Microsoft .NET Framework 3.5 on Windows 10 Version 1607 for 32-bit Systems
• Microsoft .NET Framework 3.5 on Windows 10 Version 1709 for 32-bit Systems
• Microsoft .NET Framework 3.5 on Windows Server, version 1903 (Server Core installation)
• Microsoft .NET Framework 3.5 on Windows Server 2016 (Server Core installation)
• Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation)
• Microsoft .NET Framework 3.5 on Windows Server 2016
• Microsoft .NET Framework 3.5 on Windows 8.1 for x64-based systems
• Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 3.5 on Windows 10 Version 1709 for x64-based Systems
• Microsoft .NET Framework 3.5 on Windows Server 2012 R2
• Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1
• Microsoft .NET Framework 3.5 on Windows 10 Version 1607 for x64-based Systems
• Microsoft .NET Framework 3.5 on Windows Server 2012
• Microsoft .NET Framework 3.5 on Windows 8.1 for 32-bit systems
• Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation)
• Microsoft .NET Framework 3.5 on Windows 10 for x64-based Systems
• Microsoft .NET Framework 3.5 on Windows 10 for 32-bit Systems
• Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 3.5 on Windows 10 Version 1909 for 32-bit Systems
• Microsoft .NET Framework 3.5 on Windows 10 Version 1909 for ARM64-based Systems
• Microsoft .NET Framework 3.5 on Windows Server, version 1909 (Server Core installation)
• Microsoft .NET Framework 3.5 on Windows 10 Version 2004 for 32-bit Systems
• Microsoft .NET Framework 3.5 on Windows 10 Version 2004 for ARM64-based Systems
• Microsoft .NET Framework 3.5 on Windows 10 Version 2004 for x64-based Systems
• Microsoft .NET Framework 3.5 on Windows Server, version 2004 (Server Core installation)

Security Updates (16)

• 4569751
• 4570505
• 4570505
• 4570509
• 4570503
• 4571709
• 4571741
• 4571694
• 4570508
• 4570502
• 4570506
• 4570500
• 4570507
• 4570501
• 4571692
• 4569745

Acknowledgments

Oleksandr Mirosh (@olekmirosh) from Micro Focus Fortify

Revision History

• 2020-08-11: Information published.