#microsoft

# Microsoft Security Advisory CVE-2024-35264 | .NET Remote Code Execution Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A Vulnerability exists in ASP.NET Core 8 where Data Corruption in Kestrel HTTP/3 can result in remote code execution. Note: HTTP/3 is experimental in .NET 6.0. If you are on .NET 6.0 and using HTTP/3, please upgrade to .NET 8.0.7 ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/314 ## <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 8.0 application running on .NET 8.0.6 or earlier. ## <a name="affected-packages"></a...

# Microsoft Security Advisory CVE-2024-30105 | .NET Denial of Service Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in .NET when calling the JsonSerializer.DeserializeAsyncEnumerable method against an untrusted input using System.Text.Json may result in Denial of Service. ## Discussion Discussion for this issue can be found at https://github.com/dotnet/runtime/issues/104619 ## <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 8.0 application running on .NET 8.0.6 or earlier. ## <a name="affected-packages"></a>Affected Packages The vulnerability affects any Microsoft .NE...

Microsoft Corp. today issued software updates to plug 139 security holes in various flavors of Windows and other Microsoft products. Redmond says attackers are already exploiting at least two of the vulnerabilities in active attacks against Windows users.

This is the largest Patch Tuesday since April, when Microsoft patched 150 vulnerabilities.

**Are there any further actions I need to take to be protected from this vulnerability?** Yes. The Windows Smart Card infrastructure relies on the Cryptographic Service Provider (CSP) and Key Storage Provider (KSP) to isolate cryptographic operations from the Smart Card implementation. The KSP is part of the Crypto Next Generation (CNG) architecture and is intended to support modern smart cards. In the case of RSA based certificates, the Smart Card Certificate Propagation service automatically overrides the default and uses the CSP instead of the KSP. This limits usage to the cryptography provided by the CSP and does not benefit from the modern cryptography provided by the KSP. Beginning with the July 2024 security updates released on July 9, 2024, this vulnerability will be addressed by removing the RSA override and using the KSP as the default. This change is initially disabled by default to allow customers to test it in their environment and to detect any application compatibility...

**According to the CVSS metric, user interaction is required (UI:R) and privileges required is low (PR:L). What does that mean for this vulnerability?** An authorized attacker must be on the network to monitor domain network traffic (PR:L) while monitoring for user (UI:R) generated network traffic, or alternatively that attacker convinces an authenticated user to execute a malicious script, as a step to exploit this vulnerability.

The following mitigating factor might be helpful in your situation: Consider upgrading to Defender for IoT version 24.1.4 or newer.

**According to the CVSS metric, privileges required is low (PR:H). What does that mean for this vulnerability?** An authenticated attacker with Site Owner permissions can use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server.

The following mitigation may be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave Remote Desktop Licensing Service disabled: **1\. Disable Remote Desktop Licensing Service if is not required.** If you no longer need this service on your system, consider disabling it as a security best practice. Disabling unused and unneeded services helps reduce your exposure to security vulnerabilities.

**How could an attacker exploit this vulnerability?** To exploit this vulnerability, a victim machine must be running a performance counter collection tool such as Performance Monitor to collect performance counter data from an attacker machine. An attacker with local admin authority on the attacker machine could run malicious code remotely in the victim machine's performance counter data collector process.