Microsoft .NET framework WSDL parser PrintClientProxy remote code execution vulnerability
Overview
The Microsoft .NET framework fails to properly parse WSDL content, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
The PrintClientProxy method in the WSDL-parsing component of the Microsoft .NET framework fails to properly handle linefeed characters. If an attacker can trigger the .NET framework to trigger a specially-crafted WSDL file, this can result in arbitrary code execution. This vulnerability is currently being exploited in the wild, by way of an RTF file with an embedded Soap Moniker object that triggers a remote WSDL file to be retrieved and parsed. Other attack vectors may be possible. |
Impact
By causing the .NET framework to parse a specially-crafted WSDL file, an unauthenticated remote attacker may be able to execute arbitrary code on a vulnerable system. Current exploits achieve this by convincing a user to open a RTF document. |
Solution
Apply an update |
Enable Protected View for RTF documents in Microsoft Word |
Vendor Information (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Microsoft Corporation | Affected | - | 13 Sep 2017 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Temporal | 6.5 | E:H/RL:OF/RC:C |
| Environmental | 6.5 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
- https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8759