9/16/2015

.NET elevation of privileges vulnerability

Digital Edge is committed to providing the highest levels of security within all the IT infrastructure environments under its care. In order to achieve this utmost goal for all of our clients, we continuously maintain vigilance both on the productive side of IT as well as on its destructive side. We thus send out news and security bulletins such as this one from time to time to ensure that our clients are informed and educated on any important developments in IT security and are fully aware of what we are doing to ensure that we and our clients are always at the Cutting and at the Digital Edge of technology.  

For a while Microsoft didn’t have significant security vulnerabilities that would attract our interest. Last week security advisory however revealed CVE-2015-2504 that requires close attention.
As usually Digital Edge warns the community about possible remote execution and privilege elevation vulnerabilities allowing hackers to break through the security perimeters.

This recent vulnerability allows hackers to craft a .NET request that would go through Code Access Security module. Code Access Security (CAS), in the Microsoft .NET framework, is Microsoft's solution to prevent untrusted code from performing privileged actions. When .NET Common Language Runtime (simply say interpreter) loads an assembly it identifies its permission set. Code that performs privileged access will be examined by the code permission set that is defined by security policy.
Current vulnerability allows an attacker to bypass the security context check and execute privileged operation that could be password change, configuration change, write and execute binaries on the server around security policies.

For more details see CVE at: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2504

All Digital Edge managed or co-managed clients will be patched according to individual schedules.

IIf you feel that you need assistance from the Digital Edge Security team, please contact Danielle Saladis at dsaladis@DIGITALEDGE.NET.

Was this article helpful?
Michael Petrov
Founder, Chief Executive Officer

Michael brings 20 years of experience as an information architect, optimization specialist and operations’ advisor. His experience includes extensive high-profile project expertise, such as mainframe and client server integration for Mellon Bank, extranet systems for Sumitomo Bank, architecture and processing workflow for alternative investment division of US Bank.

LET'S TALK: 800-714-5143