CVE-2024-21409: .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 7.3)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2024-Apr

Released

2024-04-09

Last Updated

2024-04-18

EPSS Score

54.70% (percentile: 98.0%)

FAQ

How could an attacker exploit this vulnerability? To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. Additionally, an attacker could convince a local user to open a malicious file. The attacker would have to convince the user to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file. For .NET 7.0 and .NET 8.0, what operating systems are affected by this vulnerability? This is a Windows-only vulnerability for .NET 7.0 and .NET 8.0. For more information see Microsoft Security Advisory CVE-2024-21409 | .NET Elevation of Privilege Vulnerability. According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. According to the CVSS metric, privileges required is low (PR:L). What does that mean for this remote code execution vulnerability? An authenticated attacker who successfully exploited a vulnerability in WordPad when closing a maliciously crafted .docx file could trigger execution of malicious code.

Detection & Weaponization (1 sources)

Maturity: Exploit

• GitHub PoC: 1 repositories

Affected Products (67)

Developer Tools

• Microsoft Visual Studio 2022 version 17.9
• Microsoft Visual Studio 2022 version 17.4
• Microsoft Visual Studio 2022 version 17.6
• Microsoft Visual Studio 2022 version 17.8
• PowerShell 7.3
• PowerShell 7.4
• PowerShell 7.2
• .NET 6.0
• .NET 7.0
• .NET 8.0
• Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows Server 2012
• Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows Server 2012 R2
• Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation)
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation)
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation)
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for ARM64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1607 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1607 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2016
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2016 (Server Core installation)
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation)
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 (Server Core installation)
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation)
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation)
• Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022
• ... and 17 more

Security Updates (26)

• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• 5037336
• 5037337
• 5037338
• 5037127
• 5037039
• 5037040
• 5037034
• 5037033
• 5037037
• 5037035
• 5036609
• 5037034
• 5036899
• 5037038
• 5037127
• 5037039
• 5037040
• 5037033
• 5037037
• 5037035
• 5036620

Acknowledgments

wh1tc & Zhiniang Peng

Revision History

• 2024-04-09: Information published.
• 2024-04-16: The following updates have been made in the Security Updates table: 1) Added PowerShell 7.2, PowerShell 7.3, and PowerShell 7.4 because these versions of PowerShell 7 are affected by this vulnerability. See https://github.com/PowerShell/Announcements/issues/75 for more information. 2) Added .NET Framework 3.5 and 4.8.1 installed on Windows 11 version 23H2 for x64-based systems and Windows 11 version 23H2 for ARM-based systems because these versions of Windows 11 are also affected by this vulnerability. For these .NET Framework updates, customers whose systems are configured to receive automatic updates do not need to take any further action.
• 2024-04-18: Added an FAQ to indicate that for .NET 7.0 and .NET 8.0., Windows is the only operating system affected by this vulnerability. For more information see Microsoft Security Advisory CVE-2024-21409 | .NET Elevation of Privilege Vulnerability. This is an informational change only.