Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.
What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. How do I know if I'm affected? You are affected if all three of the following are true: Your application uses Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet (directly, or through a package that depends on it such as Microsoft.AspNetCore.DataProtection.StackExchangeRedis). The NuGet copy of the library was actually loaded at runtime — not the shared framework copy. This typically means you deploy self-contained, or your installed shared framework is older than the NuGet package version. Your application runs on Linux, macOS, or another non-Windows OS. How do I determine if the vulnerable binary was loaded? Check application logs. The clearest symptom is users being logged out and repeated "The payload was invalid" errors in your logs after upgrading to 10.0.6. Check your project file. Look for a PackageReference to Microsoft.AspNetCore.DataProtection version 10.0.6 in your .csproj file (or in a package that depends on it). You can also run dotnet list package to see resolved package versions. Inspect the binary on disk. See [https://file+.vscode-resource.vscode-cdn.net/c%3A/Users/shalter/Downloads/advisory-upd-1.md#technical-details]Technical details for how to distinguish the affected NuGet binary from the correct shared framework binary by file size. Additional information Shared framework deployments are not affected. If your application runs framework-dependent and the installed ASP.NET Core shared framework version is ≥ your Microsoft.AspNetCore.DataProtection PackageReference version, the correct shared framework binary is loaded and the NuGet binary is never used. Windows deployments are not affected. On Windows, DataProtection uses CNG-based encryptors by default, which do not contain this bug. 8.0.x and 9.0.x packages are not affected. The defective code path w
Anonymous