Hash: SHA256

             AUSCERT External Security Bulletin Redistribution

        Vulnerabilities in ASP.NET Core View Components Could Allow
                          Elevation of Privilege
                             14 September 2016


        AusCERT Security Bulletin Summary

Product:           Microsoft ASP.NET
Publisher:         Microsoft
Operating System:  Windows
Impact/Access:     Increased Privileges -- Existing Account
Resolution:        Patch/Upgrade

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Advisory 3181759

Vulnerabilities in ASP.NET Core View Components Could Allow Elevation of 

Published: September 13, 2016

Version: 1.0

Executive Summary

Microsoft is releasing this security advisory to provide information about a 
vulnerability in the public versions of ASP.NET Core MVC 1.0.0. This advisory
also provides guidance on what developers can do to help ensure that their 
applications are updated correctly.

Microsoft is aware of a security vulnerability in the public version of 
ASP.NET Core MVC 1.0.0 where View Components could receive incorrect 
information, including details of the current authenticated user. If a View 
Component depends on the vulnerable code and makes decisions based on the 
current user, then the View Component could make incorrect decisions that 
result in elevation of privilege.

Mitigating Factors

A View Component must use the User property that is exposed by the 
ViewComponent class to make decisions or change output based on the contents 
of the User property. Third-party code may also include View Components that 
act in such a way. Microsoft encourages all developers to update their 
packages, regardless of whether they use either View Components or the User 
property within them, to protect against future use of the components by 
either themselves or third-party software.

Affected Software

A Microsoft ASP.NET Core project is affected by the vulnerability if it uses 
any of the affected package versions in the following table.

Affected packages and versions

Package name

Package version

Microsoft.AspNetCore.Mvc 1.0.0

Microsoft.AspNetCore.Mvc.Abstractions 1.0.0

Microsoft.AspNetCore.Mvc.ApiExplorer 1.0.0

Microsoft.AspNetCore.Mvc.Core 1.0.0

Microsoft.AspNetCore.Mvc.Cors 1.0.0

Microsoft.AspNetCore.Mvc.DataAnnotations 1.0.0

Microsoft.AspNetCore.Mvc.Formatters.Json 1.0.0

Microsoft.AspNetCore.Mvc.Formatters.Xml 1.0.0

Microsoft.AspNetCore.Mvc.Localization 1.0.0

Microsoft.AspNetCore.Mvc.Razor 1.0.0

Microsoft.AspNetCore.Mvc.Razor.Host 1.0.0

Microsoft.AspNetCore.Mvc.TagHelpers 1.0.0

Microsoft.AspNetCore.Mvc.ViewFeatures 1.0.0

Microsoft.AspNetCore.Mvc.WebApiCompatShim 1.0.0

Advisory FAQ

How do I know if I am affected?

ASP.NET Core has two different types of dependencies: direct and transitive. 
If your project has either a direct or transitive dependency on any of the 
affected packages listed in the Affected Software section, then it may be 

Direct Dependencies

Direct dependencies occur when you specifically add a package to your project.
For example, if you add the Microsoft.AspNetCore.Mvc package to your project,
then you have taken a direct dependency on Microsoft.AspNetCore.Mvc.

Direct dependencies are discoverable by reviewing your project.json file.

Transitive Dependencies

Transitive dependencies occur when you add a package to your project that in 
turn relies on another package. For example, if you add the 
Microsoft.AspNetCore.Authentication package to your project, it depends on the
Microsoft.AspNetCore.Http package (among others). This causes your project to
have a direct dependency on Microsoft.AspNetCore.Authentication and a 
transitive dependency on the Microsoft.AspNetCore.Http package.

Transitive dependencies are reviewable in the Microsoft Visual Studio Solution
Explorer window, which also supports search, or by reviewing the 
project.lock.json file contained in the root directory of your project. This 
file contains the authoritative list of packages for your project.

How do I fix my affected application?

You will need to fix both direct dependencies and review and fix any 
transitive dependencies. Version 1.0.1 of each of the vulnerable packages 
contains the fixes required to secure your application.

Fixing Direct Dependencies

To fix direct dependencies:

1. Open your project.json file in your editor. Look for the dependencies 
section. The following provides an example section:

      "dependencies": {
        "Microsoft.NETCore.App": {
          "version": "1.0.0",
          "type": "platform"
        "Microsoft.AspNetCore.Server.Kestrel": "1.0.0",
        "Microsoft.AspNetCore.Mvc": "1.0.0",

In this example, there are three direct dependencies: Microsoft.NetCore.App, 
Microsoft.AspNetCore.Server.Kestrel and Microsoft.AspNetCore.Mvc.

Microsoft.NetCore.App is the platform that the application is targeted 
against, and it can be ignored. The other packages expose their version to the
right of the package name. In this example, the non-platform packages are 
version 1.0.0.

2. Review your direct dependencies against the list of vulnerable packages in
the Affected Software section of this advisory.

For each vulnerable package where there is a direct dependency, change the 
version number in your editor to 1.0.1. After updating all vulnerable package
versions, save your project.json file.

The dependencies section in our example project.json file would now appear as

      "dependencies": {
        "Microsoft.NETCore.App": {
          "version": "1.0.0",
          "type": "platform"
        "Microsoft.AspNetCore.Server.Kestrel": "1.0.0",
        "Microsoft.AspNetCore.Mvc": "1.0.1",

If you are using Visual Studio and save your updated project.json file, the 
new version will be restored by Visual Studio. You can see the restore results
by opening the Output Window (Ctrl+Alt+O), and then changing the Show output 
from drop-down list to Package Manager.

If you are not using Visual Studio, open a command line and change to your 
project directory. Execute the dotnet restore command to restore your new 

3. After you have addressed all of your direct dependencies, you are ready to
review your transitive dependencies.

Reviewing Transitive Dependencies

There are two ways to view transitive dependencies: Use Visual Studio Solution
Explorer, or review your project.lock.json file.

Using Visual Studio Solution Explorer

If you want to use Solution Explorer, open your project in Visual Studio, and
then press Ctrl+; to activate the search in Solution Explorer. Search for each
of the package names that are listed in the Affected Software section in this
advisory, and make a note of any vulnerable packages that you find.

For example, searching for Microsoft.AspNetCore.Mvc in an example project that
contains a package that takes a dependency on Microsoft.AspNetCore.Mvc 
displays the following results in the following figure.


Figure 1: Searching in Visual Studio

The search results appear as a tree. In the results, you can see the 
identified references. The first entry under the References heading refers to
the target framework that your application is using. This will be .NETCoreApp,
.NETStandard or .NET-Framework-vX.Y.Z (where X.Y.Z is an actual version 
number) depending on how you configured your application. Under your target 
framework the list of packages display that you have directly taken a 
dependency on. In this example, the application takes a dependency on 
VulnerablePackage. VulnerablePackage in turn has leaf nodes that list its 
dependencies and their versions. In this case, the package takes a dependency
on a vulnerable version of Microsoft.AspNetCore.Mvc and others.

Manually Reviewing project.lock.json

Open the project.lock.json file in your editor. We suggest using an editor 
that understands json and that allows you to collapse and expand nodes to 
review this file. Both Visual Studio and Visual Studio Code provide this 

If you are using Visual Studio, the project.lock.json file is under the 
project.json file. Click the right pointing triangle, , to the left of the 
project.json file to expand the solution tree to expose the project.lock.json
file. The following figure displays a project with the project.json file 
expanded to show the project.lock.json file.


Figure 2: project.lock.json file location

Search the project.lock.json files for the vulnerable packages that are listed
in the Affected Software section of this advisory. For each package, take the
package name, add a / and then append the version number. For example, 
Microsoft.AspNetCore.Mvc version 1.0.0 is represented in the project.lock.json
file as Microsoft.AspNetCore.Mvc/1.0.0. Make a note of each package name that
you find that matches an entry in the table in the Affected Software section 
of this advisory.

Fixing Transitive Dependencies

You may now have a list of affected packages. If you have not found any 
transient packages, then either none of your dependencies in turn depend on a
vulnerable package, or you have already fixed the problem by updating the 
direct dependencies.

If your transitive dependency review has produced a list of vulnerable 
packages, then you must add a direct dependency to an updated version of each
vulnerable package to your project.json file to override the transitive 
dependency. Open your project.json file and find the dependencies section. For

  "dependencies": {
    "Microsoft.NETCore.App": {
      "version": "1.0.0",
      "type": "platform"
    "Microsoft.AspNetCore.Server.Kestrel": "1.0.0",
    "VulnerablePackage": "1.0.0-*"

The results of the transitive package search show that VulnerablePackage 
depends on Microsoft.AspNet.Mvc version 1.0.0. To fix this example, you must 
add a direct dependency by adding it to the project.json file. You can do this
by adding a new line to the dependencies section that refers to the fixed 
version. For example, to pull in the fixed version of Microsoft.AspNet.Mvc, 
version 1.0.1, edit the project.json file as follows:

  "dependencies": {
    "Microsoft.NETCore.App": {
      "version": "1.0.0",
      "type": "platform"
    "Microsoft.AspNetCore.Mvc": "1.0.1",
    "Microsoft.AspNetCore.Server.Kestrel": "1.0.0",
    "VulnerablePackage": "1.0.0-*"

After adding direct dependencies to the fixed packages, save your project. 
json file.

If you are using Visual Studio, saving the updated project.json file stores 
the new versions in Visual Studio. To see the restore results, open the Output
Window (Ctrl+Alt+O) and change the Show output from drop-down list to Package

If you are not using Visual Studio, open a command line and change to your 
project directory. Execute the dotnet restore command to restore your new 

You may want to check for transitive dependencies again to ensure that you 
have fixed all of them.

Rebuilding Your Application

Finally, rebuild your application, test it as you normally would, and then 
redeploy it using your favored deployment mechanism.

Suggested Actions

Update the ASP.NET Core templates

"Microsoft .NET Core 1.0.1 VS 2015 Tooling Preview 2" updates the ASP.NET Core
templates to use the fixed packages.

To download this preview, see the "Tools" section of the .NET Downloads page.

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides 
vulnerability information to major security software providers in advance of 
each monthly security update release. Security software providers can then use
this vulnerability information to provide updated protections to customers via
their security software or devices, such as antivirus, network-based intrusion
detection systems, or host-based intrusion prevention systems. To determine 
whether active protections are available from security software providers, 
please visit the active protections websites provided by program partners, 
listed in Microsoft Active Protections Program (MAPP) Partners.


- - You can provide feedback by completing the Microsoft Help and Support form,
Customer Service Contact Us.


- - You can ask questions about this advisory on GitHub in the ASP.NET Core MVC
repo section.

- - Customers in the United States and Canada can receive technical support from
Security Support. For more information, see Microsoft Help and Support.

- - International customers can receive support from their local Microsoft 
subsidiaries. For more information, see International Support.

- - Microsoft TechNet Security provides additional information about security in
Microsoft products.


The information provided in this advisory is provided "as is" without warranty
of any kind. Microsoft disclaims all warranties, either express or implied, 
including the warranties of merchantability and fitness for a particular 
purpose. In no event shall Microsoft Corporation or its suppliers be liable 
for any damages whatsoever including direct, indirect, incidental, 
consequential, loss of business profits or special damages, even if Microsoft
Corporation or its suppliers have been advised of the possibility of such 
damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply.


- - V1.0 (September 13, 2016): Advisory published.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967