CVE-2018-0785 in ASP.NET Core
Summary
by MITRE
ASP.NET Core 1.0. 1.1, and 2.0 allow a cross site request forgery vulnerability due to the ASP.NET Core project templates, aka "ASP.NET Core Cross Site Request Forgery Vulnerability".
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/29/2021
The CVE-2018-0785 vulnerability represents a critical cross site request forgery flaw affecting ASP.NET Core versions 1.0, 1.1, and 2.0. This vulnerability stems from the default project templates provided by the ASP.NET Core framework, making it particularly dangerous as it affects the foundational security assumptions of applications built using these versions. The issue arises from the lack of proper anti-forgery token implementation in the default scaffolding templates, creating a systemic weakness that impacts countless applications during their initial development phase.
The technical flaw manifests in how the default ASP.NET Core project templates handle anti-forgery protection mechanisms. Specifically, applications generated using these templates do not automatically include the necessary anti-forgery token validation that would normally protect against CSRF attacks. This occurs because the default controllers and views do not incorporate the requiredValidateAntiForgeryToken attributes or the corresponding hidden form fields that would typically be present in secure implementations. Attackers can exploit this by crafting malicious requests that trick authenticated users into performing unintended actions on vulnerable applications, leveraging the trust relationship between the user and the web application.
The operational impact of this vulnerability extends beyond individual applications to potentially affect entire development ecosystems that rely on ASP.NET Core templates. Organizations deploying applications using the default project templates are automatically exposed to CSRF attacks without any explicit security configuration. This vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses, and represents a classic example of insecure default configurations that can lead to widespread compromise. The attack surface is particularly broad since the vulnerability affects all applications created from the affected versions, regardless of their specific functionality or security requirements.
Mitigation strategies for CVE-2018-0785 require immediate action from affected organizations. The primary recommendation involves upgrading to patched versions of ASP.NET Core where the default templates properly implement anti-forgery protection. Organizations should also conduct comprehensive security audits of existing applications to identify those using vulnerable templates, ensuring that appropriate anti-forgery token validation is implemented in all forms and POST endpoints. Additionally, security teams should implement continuous monitoring to detect unauthorized changes to anti-forgery configurations and establish secure coding practices that mandate explicit anti-forgery token usage in all application components. This vulnerability demonstrates the critical importance of secure by design principles and the potential consequences of relying on insecure default configurations in web application frameworks, particularly within the ATT&CK framework where such issues often map to initial access and privilege escalation techniques.