CVE-2024-50353 – A vulnerability in ICG.AspNetCore.Utilities.Clo... (How to Fix)

📋 TL;DR

A vulnerability in ICG.AspNetCore.Utilities.CloudStorage library causes incorrect SAS URI duration generation when users specify durations other than 1 hour. This could lead to unintended access periods for cloud storage resources. Only users implementing SAS URIs with custom durations are affected.

💻 Affected Systems

Products:

ICG.AspNetCore.Utilities.CloudStorage

Versions: Versions before 8.0.0

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only affects users who implement SAS URIs with durations other than 1 hour

📦 What is this software?

Aspnetcore.utilities.cloudstorage by Iowacomputergurus

View all CVEs affecting Aspnetcore.utilities.cloudstorage →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive cloud storage data could be exposed for longer than intended or access could be prematurely revoked, potentially leading to data breaches or service disruptions.

🟠

Likely Case

SAS URIs with incorrect durations could cause operational issues where users lose access too early or maintain access longer than security policies allow.

🟢

If Mitigated

With proper monitoring and access controls, the impact is limited to minor operational inconvenience.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires knowledge of the vulnerable implementation and ability to generate SAS URIs

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.0.0

Vendor Advisory: https://github.com/IowaComputerGurus/aspnetcore.utilities.cloudstorage/security/advisories/GHSA-24mc-gc52-47jv

Restart Required: Yes

Instructions:

1. Update NuGet package to version 8.0.0 or later
2. Rebuild and redeploy application
3. Restart application services

🔧 Temporary Workarounds

Use 1-hour SAS URI duration

all

Set SAS URI duration to exactly 1 hour to avoid the bug

Implement custom SAS URI generation

all

Bypass the library's SAS URI generation and implement your own logic

🧯 If You Can't Patch

Implement additional access monitoring for SAS URIs
Use shorter default SAS URI durations and implement renewal mechanisms

🔍 How to Verify

Check if Vulnerable:

Check if using ICG.AspNetCore.Utilities.CloudStorage package version below 8.0.0 and implementing SAS URIs with durations other than 1 hour

Check Version:

Check project's .csproj file or NuGet package manager for ICG.AspNetCore.Utilities.CloudStorage version

Verify Fix Applied:

Verify package version is 8.0.0 or higher and test SAS URI generation with various durations

📡 Detection & Monitoring

Log Indicators:

Unexpected SAS URI access patterns
Access attempts outside expected time windows

Network Indicators:

SAS URI requests with unusual timing patterns

SIEM Query:

Search for cloud storage access logs with SAS tokens outside expected validity periods

📊 Metadata

CVE ID: CVE-2024-50353

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-284

Published: October 30, 2024

Last Updated: November 13, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50353, you might also want to check these: