CVE-2024-29059: .NET Framework Information Disclosure Vulnerability

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

More Likely

Patch Tuesday

2024-Mar

Released

2024-03-22

Last Updated

2024-05-08

EPSS Score

93.80% (percentile: 99.9%)

CISA KEV

Listed — due 2025-02-25

FAQ

**What type of information could be disclosed by this vulnerability? ** An attacker who successfully exploited this vulnerability could obtain the ObjRef URI which could lead to remote code execution.

Known Exploits (1)

• Microsoft .NET Framework Information Disclosure Vulnerability — added 2024-03-11T10:14:39Z

Detection & Weaponization (2 sources)

Maturity: Exploit

• Nuclei templates: .NET Framework - Leaking ObjRefs via HTTP .NET Remoting
• GitHub PoC: 1 repositories

Affected Products (68)

Developer Tools

• Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems
• Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems
• Microsoft .NET Framework 4.8 on Windows Server 2016
• Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows Server 2012
• Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows Server 2012 R2
• Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation)
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation)
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation)
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for ARM64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2019 (Server Core installation)
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1607 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows Server 2016 (Server Core installation)
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation)
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation)
• Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022
• Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation)
• Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 21H2 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 21H2 for ARM64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for ARM64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for ARM64-based Systems
• ... and 18 more

Security Updates (26)

• 5033910
• 5034277
• 5034269
• 5034278
• 5034279
• 5034273
• 5034272
• 5034276
• 5034274
• 5034273
• 5034119
• 5034277
• 5034278
• 5034279
• 5034276
• 5034274
• 5033920
• 5033917
• 5034270
• 5034134
• 5034280
• 5034270
• 5034278
• 5034279
• 5034277
• 5034269

Acknowledgments

<a href="https://twitter.com/mwulftange">Markus Wulftange</a> with <a href="https://code-white.com/">CODE WHITE GmbH</a>, <a href="https://twitter.com/mwulftange">Markus Wulftange</a> with <a href="https://code-white.com/">CODE WHITE GmbH</a>

Revision History

• 2024-03-22: Information published. This CVE was addressed by updates that were released in January 2024, but the CVE was inadvertently omitted from the January 2024 Security Updates. This is an informational change only. Customers who have already installed the January 2024 updates do not need to take any further action.
• 2024-05-08: The following corrections have been made in the Security Updates table: 1) Removed .NET Framework 3.5 and 4.7.2 on Windows 10 version 1809 for ARM-based systems, .NET Framework 3.5 and 4.7/4.7.1/4.7.2 on Windows 10 version 1607 as these versions are not affected by this vulnerability. 2) Added .NET Framework 3.5 &amp; 4.8 on Windows 10 version 1809 and Windows Server 2019, .NET Framework 3.5 and 4.7.2 on Windows 10 version 1607. Customers whose systems are configured to receive automatic updates do not need to take any further action. 3) Corrected Download and Article links.