Security Update for .NET Core SDK (July 2020)

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(138466);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/25");

  script_cve_id("CVE-2020-1147");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/05/03");

  script_name(english:"Security Update for .NET Core SDK (July 2020)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by a .NET Core SDK remote code execution (RCE) vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Microsoft .NET Core SDK installation on the remote host is version 2.1.x < 2.1.516 / 2.1.613 / 2.1.808, or
3.1.x < 3.1.106 / 3.1.302. It is, therefore, affected by a remote code execution vulnerability. It is, therefore,
affected by a remote code execution (RCE) vulnerability due to failing to check the source markup of XML file input. An
unauthenticated, remote attacker can exploit this, by issuing specially crafted requests to applications that process
certain types of XML, to execute arbitrary code in the context of the current user.");
  script_set_attribute(attribute:"see_also", value:"https://dotnet.microsoft.com/download/dotnet-core/3.1");
  # https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1147
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?43ad1c2a");
  script_set_attribute(attribute:"see_also", value:"https://github.com/dotnet/announcements/issues/159");
  script_set_attribute(attribute:"solution", value:
"Refer to vendor documentation.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1147");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SharePoint DataSet / DataTable Deserialization');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/07/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/14");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:.net_core");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("microsoft_dotnet_core_sdk_win.nbin");
  script_require_keys("installed_sw/.NET Core SDK Windows", "Settings/ParanoidReport");

  exit(0);
}

include('vcf.inc');

if (report_paranoia < 2) audit(AUDIT_PARANOID);

app = '.NET Core SDK Windows';

app_info = vcf::get_app_info(app:app, win_local:TRUE);

constraints = [
  { 'min_version' : '2.1',     'fixed_version' : '2.1.516' },
  { 'min_version' : '2.1.600', 'fixed_version' : '2.1.613' },
  { 'min_version' : '2.1.800', 'fixed_version' : '2.1.808' },
  { 'min_version' : '3.1',     'fixed_version' : '3.1.106' },
  { 'min_version' : '3.1.200', 'fixed_version' : '3.1.302' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);