Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0214
Security vulnerabilities patched in Microsoft development tools
12 September 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft .NET Framework
ASP.NET Core 2.1
.NET Core 2.1
C SDK for Azure IoT
ChakraCore
Microsoft.Data.OData
System.IO.Pipelines
Operating System: Windows
Impact/Access: Administrator Compromise -- Remote with User Interaction
Execute Arbitrary Code/Commands -- Remote with User Interaction
Access Privileged Data -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2018-8479 CVE-2018-8467 CVE-2018-8466
CVE-2018-8465 CVE-2018-8459 CVE-2018-8456
CVE-2018-8452 CVE-2018-8421 CVE-2018-8409
CVE-2018-8391 CVE-2018-8367 CVE-2018-8354
CVE-2018-8315 CVE-2018-8269
Member content until: Friday, October 12 2018
OVERVIEW
Microsoft has released its monthly security patch update for the month of
September 2018. [1] This update resolves 14 vulnerabilities across the
following products:
.NET Core 2.1
ASP.NET Core 2.1
C SDK for Azure IoT
ChakraCore
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6
Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2
Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2
Microsoft .NET Framework 4.7.1/4.7.2
Microsoft .NET Framework 4.7.2
Microsoft .NET Framework 4.7/4.7.1/4.7.2
Microsoft.Data.OData
System.IO.Pipelines
IMPACT
Microsoft has given the following details regarding these vulnerabilities.
Details Impact Severity
CVE-2018-8269 Denial of Service Important
CVE-2018-8315 Information Disclosure Important
CVE-2018-8354 Remote Code Execution Important
CVE-2018-8367 Remote Code Execution Critical
CVE-2018-8391 Remote Code Execution Critical
CVE-2018-8409 Denial of Service Important
CVE-2018-8421 Remote Code Execution Critical
CVE-2018-8452 Information Disclosure Important
CVE-2018-8456 Remote Code Execution Critical
CVE-2018-8459 Remote Code Execution Critical
CVE-2018-8465 Remote Code Execution Critical
CVE-2018-8466 Remote Code Execution Critical
CVE-2018-8467 Remote Code Execution Critical
CVE-2018-8479 Spoofing Important
MITIGATION
Microsoft recommends updating the software with the version made available on
the Microsoft Update Catalogue for the following Knowledge Base articles. [1]
KB4457035, KB4457038, KB4457033, KB4457142, KB4457030
KB4457025, KB4457027, KB4457026, KB4457029, KB4457042
KB4457128, KB4457045, KB4457044, KB4457132, KB4457131
KB4457036, KB4457037, KB4457034, KB4457053, KB4457054
KB4457055, KB4457056, KB4457138, KB4457043, KB4457028
REFERENCES
[1] Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW5iVSmaOgq3Tt24GAQiLkA/+PL1z9BEREkoPVzx1Ybw+cRPJkxCrH9yw
08ePouITGgePgg0EMTUhPya7MXCAEYtsi4zoT721tV5Hs38eIyb9MK/zdYChiwuP
dgo5uxZSU/zt9Ihg8dYwvb4nVvcYkO/UxI7M12oj0DLWJrNS/z7VMTjpGjvTnbW2
NPz65wZBEUKJyy5SQ3othx1KkTYIXftBlIyvKGiAprThYM85Di+oeBeOXh4MlQHA
osx+VimQsRko92FjjmmujgGGOLwKCnpBUfRfyVc9qiW7xKaAdiTRfpR+n5ARy+6D
k7rylUeL0dRfpEstAr+PF2j4p09ooY+RyfrP624h8tI21k1BXQZJbZqdWp1sGKK9
8X1Xvfl6z1EIUoqCvppLbbzfNFEMNSovYopujRPhuapp8c0OLPK8tMOn+aEydmp6
JgYEHlpplpVAGHhnV7l6daFLTsAFcvyWFshQW55qsgRzL9TZdajQ1QNHfYx+Z5iv
YwRDE63Pu5YOAdmvhrc3gVbej8Utbq1kOkAwZvEmydAIXJvPop+7fkGxM5/DqEZx
cZAbXQn37BD/2Sg1FaqvyaA2+0rb5Ln8YJncuaMeof7/Vj5i1oBg2qVYesZBVXXp
oCE2uDtaen+8ZPcFsK13NJ9XS2ROlqMANn4kuv+6KwL9v/w6oGwU+eL4nv4FDQ47
7lk+MxKAPGk=
=j1iA
-----END PGP SIGNATURE-----