CVE-2023-35390
📋 TL;DR
CVE-2023-35390 is a remote code execution vulnerability in .NET and Visual Studio that allows attackers to execute arbitrary code on affected systems. The vulnerability affects systems running vulnerable versions of .NET Framework, .NET Core, and Visual Studio. Attackers can exploit this by tricking users into opening specially crafted files or visiting malicious websites.
💻 Affected Systems
- .NET Framework
- .NET Core
- Visual Studio
📦 What is this software?
.net by Microsoft
.net by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the affected system, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attacker executes malicious code in the context of the current user, potentially installing malware, stealing credentials, or establishing persistence on the system.
If Mitigated
Limited impact with proper network segmentation, application whitelisting, and least privilege principles in place, potentially containing the attack to isolated segments.
🎯 Exploit Status
Exploitation requires user interaction such as opening a malicious file or visiting a compromised website. No public proof-of-concept has been released at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See Microsoft Security Update Guide for specific patched versions
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35390
Restart Required: Yes
Instructions:
1. Apply the latest security updates from Microsoft Update or Windows Update. 2. For .NET Framework, install the latest cumulative updates. 3. For .NET Core and Visual Studio, update to the latest versions. 4. Restart affected systems after patching.
🔧 Temporary Workarounds
Disable vulnerable components
allTemporarily disable or restrict access to vulnerable .NET components if they are not essential for operations
Application control policies
windowsImplement application whitelisting to prevent execution of unauthorized .NET applications
🧯 If You Can't Patch
- Implement network segmentation to isolate vulnerable systems from critical assets
- Apply strict access controls and monitor for suspicious .NET process execution
🔍 How to Verify
Check if Vulnerable:
Check installed .NET versions and compare against Microsoft's security advisory for affected versionsCheck Version:
On Windows: 'wmic product get name,version' or check Add/Remove Programs. On Linux: 'dotnet --info' for .NET CoreVerify Fix Applied:
Verify that security updates have been applied and check that .NET versions match patched versions in Microsoft's advisory📡 Detection & Monitoring
Log Indicators:
- Unusual .NET process execution patterns
- Suspicious file access by .NET applications
- Unexpected network connections from .NET processes
Network Indicators:
- Unusual outbound connections from .NET applications
- Traffic patterns indicative of command and control
SIEM Query:
Process creation events where parent process is .NET related and child process is suspicious or unexpected🔗 References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35390
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CL2L4WE5QRT7WEXANYXSKSU43APC5N2V/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NWVZFKTLNMNKPZ755EMRYIA6GHFOWGKY/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35390
