Headline
Ubuntu Security Notice USN-7105-1
Ubuntu Security Notice 7105-1 - It was discovered that the NrbfDecoder component in .NET did not properly handle an instance of a type confusion vulnerability. An authenticated attacker could possibly use this issue to gain the privileges of another user and execute arbitrary code. It was discovered that the NrbfDecoder component in .NET did not properly perform input validation. An unauthenticated remote attacker could possibly use this issue to cause a denial of service.
==========================================================================
Ubuntu Security Notice USN-7105-1
November 12, 2024
dotnet9 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
Summary:
Several security issues were fixed in .NET.
Software Description:
- dotnet9: .NET CLI tools and runtime
Details:
It was discovered that the NrbfDecoder component in .NET did not properly
handle an instance of a type confusion vulnerability. An authenticated
attacker could possibly use this issue to gain the privileges of another
user and execute arbitrary code. (CVE-2024-43498)
It was discovered that the NrbfDecoder component in .NET did not properly
perform input validation. An unauthenticated remote attacker could possibly
use this issue to cause a denial of service. (CVE-2024-43499)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
aspnetcore-runtime-9.0 9.0.0-rtm-0ubuntu1~24.10.1
dotnet-host-9.0 9.0.0-rtm-0ubuntu1~24.10.1
dotnet-hostfxr-9.0 9.0.0-rtm-0ubuntu1~24.10.1
dotnet-runtime-9.0 9.0.0-rtm-0ubuntu1~24.10.1
dotnet-sdk-9.0 9.0.100-rtm-0ubuntu1~24.10.1
dotnet-sdk-aot-9.0 9.0.100-rtm-0ubuntu1~24.10.1
dotnet9 9.0.100-9.0.0-0ubuntu1~24.10.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7105-1
CVE-2024-43498, CVE-2024-43499
Package Information:
https://launchpad.net/ubuntu/+source/dotnet9/9.0.100-9.0.0-0ubuntu1~24.10.1
Related news
The Patch Tuesday for November of 2024 includes 91 vulnerabilities, including two that Microsoft marked as “critical.” The remaining 89 vulnerabilities listed are classified as “important.”
# Microsoft Security Advisory CVE-2024-43498 | .NET Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A remote unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to a .NET vulnerable webapp or loading a specially crafted file into a vulnerable application. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/334 ## <a name="mitigation-factors"></a>Mitigation factors Applications that do not use the NrbfDecoder component are not affected by this vulnerability. By default, .NET console apps and web apps do not reference this component. ## <a name="affected-software"></a>Affected software * Any .NET 9.0 application runnin...
# Microsoft Security Advisory CVE-2024-43499 | .NET Denial of Service Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. The NrbfDecoder component in .NET 9 contains a denial of service vulnerability due to incorrect input validation. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/333 ## <a name="mitigation-factors"></a>Mitigation factors Applications that do not use the NrbfDecoder component are not affected by this vulnerability. By default, .NET console apps and web apps do not reference this component. ## <a name="affected-software"></a>Affected software * Any .NET 9.0 application running on .NET 9.0.0.RC.2 or earlier. ## <a name="affected-packages"></a>Affected Packages The...
The November 2024 Patch Tuesday update contains a substantially high percentage of remote code execution (RCE) vulnerabilities (including a critical issue in Windows Kerberos), and two other zero-day bugs that have been previously disclosed and could soon come under attack.
Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November's patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today.