FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-43498

Access of Resource Using Incompatible Type ('Type Confusion') (CWE-843)

Published: Nov 12, 2024

010
CVSS 9.8EPSS 0.09%Critical
CVE info copied to clipboard

Summary

A critical type confusion vulnerability exists in .NET 9.0 and Visual Studio. This vulnerability allows a remote unauthenticated attacker to execute arbitrary code by sending specially crafted requests to a vulnerable .NET web application or by loading a specially crafted file into a vulnerable desktop application. The vulnerability is classified as a type confusion issue (CWE-843: Access of Resource Using Incompatible Type) and requires no user interaction or special privileges to exploit.

Impact

The impact of this vulnerability is severe, with a CVSS base score of 9.8 (Critical). Successful exploitation could lead to complete system compromise, allowing attackers to: 1. Execute arbitrary code remotely on affected systems 2. Steal sensitive information 3. Modify or delete data 4. Disrupt system operations The vulnerability has a high impact on confidentiality, integrity, and availability. Its network-based attack vector (AV:N) and the lack of required privileges (PR:N) or user interaction (UI:N) make it particularly dangerous, as it can be exploited without direct user engagement. Given the widespread use of .NET in enterprise environments, this vulnerability poses a significant risk to organizational security.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Microsoft released an official fix for this vulnerability on November 12, 2024. Security teams should prioritize applying this patch immediately to all affected systems running .NET 9.0 or vulnerable versions of Visual Studio.

Mitigation

1. Apply the official patch released by Microsoft immediately to all affected .NET 9.0 and Visual Studio installations. 2. Implement network segmentation to limit exposure of vulnerable systems. 3. Monitor for suspicious network activity targeting .NET and Visual Studio installations. 4. Keep all .NET and Visual Studio installations up to date with the latest security updates. 5. Use the principle of least privilege for user accounts and applications. 6. Consider using Web Application Firewalls (WAF) or Intrusion Detection/Prevention Systems (IDS/IPS) to help detect and block potential exploit attempts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

CVSS

A CVSS base score of 9.8 has been assigned.

Nov 12, 2024 at 5:55 PM / microsoft
First Article

Feedly found the first article mentioning CVE-2024-43498. See article

Nov 12, 2024 at 6:00 PM / Microsoft Security Advisories - MSRC
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 12, 2024 at 6:02 PM
CVE Assignment

NVD published the first details for CVE-2024-43498

Nov 12, 2024 at 6:15 PM
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 12, 2024 at 6:28 PM
Vendor Advisory

GitHub Advisories released a security advisory.

Nov 12, 2024 at 7:29 PM
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 12, 2024 at 11:07 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (210867)

Nov 13, 2024 at 2:15 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Nov 13, 2024 at 3:16 AM / nvd
Static CVE Timeline Graph

Affected Systems

Microsoft/visual_studio_2022
+null more

Patches

Microsoft
+null more

References

.NET and Visual Studio Remote Code Execution Vulnerability
Microsoft Security Advisories - MSRC / 7d
A remote unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to a vulnerable .NET webapp or by loading a specially crafted file into a vulnerable desktop app. .NET 9.0 installed on Linux
ION Advisory: November Patch Tuesday
Resource Center | Ontinue / 5d
None of the following critical vulnerabilities below have been reported as being actively exploited or publicly disclosed: The following vulnerabilities have been reported as publicly disclosed, but not yet actively exploited :

News

oracle_linux ELSA-2024-9543: ELSA-2024-9543: .NET 9.0 security update (IMPORTANT)
Recently Released Plugin Pipeline from Tenable / 2h
Released Last Updated: 11/20/2024 CVEs: CVE-2024-43499 , CVE-2024-43498 Plugins: 211615
alma_linux ALSA-2024:9543: ALSA-2024:9543: .NET 9.0 security update (High)
Recently Released Plugin Pipeline from Tenable / 12h
Released Last Updated: 11/19/2024 CVEs: CVE-2024-43499 , CVE-2024-43498 Plugins: 211577
AlmaLinux 9 : .NET 9.0 (ALSA-2024:9543)
Newest Plugins from Tenable / 12h
The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2024:9543 advisory. The remote AlmaLinux host is missing one or more security updates.
[ALSA-2024:9543] Important: .NET 9.0 security update
AlmaLinux 9 Product Errata / 20h
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Security Fix(es): For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
2024-45 - Adobe, Mozilla, Canonical, Red Hat, Microsoft, Google, Jenkins, GitHub, Spring 🗂️
Advisory Week / 1d
Advisory Week Week 45, 2024 National Cyber Awareness System CISA Releases Nineteen Industrial Control Systems Advisories CISA Adds Two Known Exploited Vulnerabilities to Catalog Palo Alto Networks Emphasizes Hardening Guidance Fortinet Releases Security Updates for Multiple Products Microsoft Releases November 2024 Security Updates Adobe Releases Security Updates for Multiple Products Ivanti Releases Security Updates for Multiple Products JCDC’s Collaborative Efforts Enhance Cybersecurity for the 2024 Olympic and Paralympic Games Citrix Releases Security Updates for NetScaler and Citrix Session Recording CISA Releases Five Industrial Control Systems Advisories CISA, FBI, NSA, and International Partners Release Joint Advisory on 2023 Top Routinely Exploited Vulnerabilities CISA Adds Five Known Exploited Vulnerabilities to Catalog Adobe Security Bulletins and Advisories Security updates available for Adobe Photoshop APSB24-89 Security Updates Available for Adobe Commerce APSB24-90 Security Updates Available for Adobe Illustrator APSB24-66 APSB24-87 Security Update Available for Adobe InDesign APSB24-88 Security Updates Available for Adobe Bridge APSB24-77 Security Updates Available for Adobe Audition APSB24-83 Mozilla Security Advisories Security Vulnerabilities fixed in Thunderbird 132.0.1 mfsa2024-62 Security Vulnerabilities fixed in Thunderbird 128.4.3 mfsa2024-61 Ubuntu Security Notices Linux kernel vulnerabilities: USN-7089-6 / USN-7088-5 / USN-7089-5 / USN-7110-1 / USN-7089-4 / USN-7100-2 / USN-7100-1 GD Graphics Library vulnerability: USN-7112-1 Go vulnerabilities: USN-7111-1 / USN-7109-1 Linux kernel vulnerability:
See 110 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 9.8(27010)CWE-843(541)CWE-704(239)Microsoft(12100)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial