CVE-2023-36558 is a security vulnerability found in ASP.NET Core, Microsoft’s highly popular web framework. The bug allows attackers to bypass certain security features, putting your web applications and sensitive data at risk. In simple terms, this loophole could let someone slip past protections that were supposed to keep them out.
This wasn’t just some obscure bug—Microsoft officially acknowledged it and released a fix with security updates. In this post, we’ll break down what went wrong, how attackers can exploit it, and what you need to do.
Original References
- Microsoft’s official advisory
- NVD entry
- GitHub ASP.NET Security Documentation *(Replace with real link when available)*
The Short Version
Some ASP.NET Core configurations trusted headers (like those for forwarded host or protocols) sent from clients or untrusted proxies. Attackers could forge these headers and “trick” your app into thinking requests were coming from somewhere safe, sometimes bypassing authentication, authorization, or HTTPS enforcement.
How the Vulnerability Works
Many modern web apps sit behind load balancers, reverse proxies, or cloud services. These intermediaries add special headers to tell your ASP.NET Core app “Hey, the original request came from here, over HTTPS, to this host.”
But ASP.NET Core relies on configuration to decide *who* to trust for these headers. If your app isn’t locked down, it might believe whatever the user sends—allowing attackers to:
Let's see a simplified example using .UseForwardedHeaders() in an ASP.NET Core app
// A dangerous, default config
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto
// No ForwardedHeadersOptions.KnownProxies or KnownNetworks specified!
});
In this risky setup, any incoming request can set the X-Forwarded-For and X-Forwarded-Proto headers, and your app will trust them.
Now, imagine you have this snippet to redirect to HTTPS
if (!Request.IsHttps)
{
// Redirect to HTTPS
return Redirect("https://"; + Request.Host + Request.Path);
}
But, an attacker simply sends
GET /some-page HTTP/1.1
Host: yourapp.com
X-Forwarded-Proto: https
Your app thinks the request is secure—even if it arrived via plain HTTP—so the redirect never happens! This misleads your security logic.
ASP.NET Core app accepts these as truth
- No restriction on which IPs/proxies can set these fields.
Attacker achieves their goal
- Maybe gets sensitive information, avoids authentication, or conducts phishing/internal attacks.
Suppose your app has this logic for admin access
if (Request.Host == "admin.example.com")
{
// Show admin dashboard
}
With no forwarder restriction, an attacker requests
GET /admin HTTP/1.1
Host: victim.example.com
X-Forwarded-Host: admin.example.com
Result: They see the admin dashboard, not meant for them!
Remediation: How to Fix
Upgrade:
The best defense? Patch ASAP! Microsoft addressed this in November 2023 Patch Tuesday updates (see advisory).
Properly Configure Your App:
Lock down which proxies/addresses your app trusts for forwarded headers.
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto,
KnownProxies = { IPAddress.Parse("192.168.1.10") }, // Your trusted proxy IP here
});
Or, use KnownNetworks for IP ranges.
Conclusion
CVE-2023-36558 reminds us that even the best web frameworks can stumble over trust boundaries. Always validate configurations, patch often, and don’t take incoming header fields at face value. Check your use of forwarded headers today—your app’s security might depend on it.
References
- MSRC Official: CVE-2023-36558
- NVD: CVE-2023-36558
- ASP.NET Core security docs
Timeline
Published on: 11/14/2023 22:15:29 UTC
Last modified on: 11/21/2023 20:01:19 UTC