CVE-2023-21808 – Patched MS zero-day vulnerability (14th Feb 2023)

Preface: .NET is a free, cross-platform, open source developer platform for building many different types of applications. With .NET, you can use multiple languages, editors, and libraries to build web, mobile, desktop, games, IoT, and more.

Background: The demand for .NET will continue to increase as long as new and better technologies are developed.
NET 6 is a LTS (Long Term Support) release and will be supported with bug and security fixes for (has to look it up) 3 years. . NET 7 however is a STS (Short Term Support) release and will only be supported for 18 months (6 months beyond the release of . NET 8).
The release date of .NET 8, which will ship during the .NET Conf 2023 event about Nov. 10.

Internet Information Service (IIS) is the flexible and general-purpose web server provided by Microsoft that will be run on Windows.
IIS can be used to host, deploy, and manage web applications using technologies such as ASP.NET and PHP.
A PDB file is created when you compile a C/C++ program with /ZI or /Zi or a Visual Basic, Visual C#, or JScript program with the /debug option.
You need to configure your build machine to publish your .pdb files into a known directory which is later used in your IIS configuration.
However, when .PDB files on website exception occurs, and you do not aware to set the CustomErrors property in web.config. The stack trace will be displayed with file names and line numbers.

Vulnerability details: A vulnerability exists in how .NET reads debugging symbols, where reading a malicious symbols file may result in remote code execution.

Solution: For details, see the link –

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.