CVE-2022-38013 .NET Core and Visual Studio Denial of Service Vulnerability.

This vulnerability has been discovered by the security researcher Daniel Genkin (via Twitter). The vulnerability is located in the OpenId sign-in authentication provider. OpenId is Microsoft’s identity provider that can be used by developers to integrate single sign-on features into their web applications. The OpenId sign-in provider is exposed and can be exploited by an attacker to cause a Denial of Service condition on the target system. You can read the details of the vulnerability at https://msdn.microsoft.com/en-us/library/mt146811.

It is important to note that this OpenId sign-in provider is enabled by default on new ASP.NET Web applications. You can learn how to configure this provider by following these steps: Open the Web.config file in the project solution. Add the OpenId sign-in provider by adding the following line to the providers> section of the file: add name=”OpenId” type=”Microsoft.IdentityModel.Extensions.OpenIdConnectionProvider” connectionString=” SIGN_In_Connection_String ”>

By default, this provider is enabled and it can be exploited by an attacker to cause a Denial of Service condition on the target system. This can be done by injecting malicious code into a sign-in page or by submitting a crafted URL. You can secure your application by configuring the OpenId provider to be disabled

Steps to Disable OpenId Sign-in Provider

1) Open the Web.config file in the project solution.
2) Add the following line to the providers> section of the file:
add name=”OpenId” type=”Microsoft.IdentityModel.Extensions.OpenIdConnectionProvider” connectionString=” SIGN_In_Connection_String “>
3) Save this configuration and restart your web application for this change to take effect.

Disable OpenId Sign-in Provider in ASP.NET Web Applications

This vulnerability can be mitigated by disabling the OpenId sign-in provider in your ASP.NET Web application. You can do this by following these steps:
1. Open the Web.config file in the project solution.
2. Add the following line to the

Steps to secure your application from OpenId Denial of Service vulnerabilities

To secure your application from OpenId Denial of Service vulnerabilities, follow these steps: Find the provider in your Web.config file Add the following line to disable the OpenId provider:

Timeline

Published on: 09/13/2022 19:15:00 UTC
Last modified on: 09/16/2022 18:33:00 UTC

References

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38013
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38013