Vulnerabilities

Reporting vulnerabilities

Please report security vulnerabilities by sending email to secure@microsoft.com

Known vulnerabilities

Some versions of Mono had security vulnerabilities found after their public release. This page contains a list of the known vulnerabilities, starting with the most recent one.

string-to-double parser bug

CVE: CVE-2009-0689

Mono’s string-to-double parser may crash, on specially crafted input. This could theoretically lead to arbitrary code execution.

The following sample program may crash the runtime, on affected versions:

using System;
class Test
{
    static void Main()
    {
        string input = "1." + new string('1', 294912);
        Double.Parse(input);
    }
}

Versions affected:

  • All versions prior to 4.2.0.179

Versions fixed:

Individual patch for affected versions:

https://gist.github.com/directhex/01e853567fd2cc74ed39

Credits:

TLS bugs

CVE: CVE-2015-2318, CVE-2015-2319, CVE-2015-2320

Mono’s implementation of the SSL/TLS stack failed to check the order of the handshake messages. Which would allow various attacks on the protocol to succeed. Details of this vulnerability are discussed in SKIP-TLS post.

Mono’s implementation of SSL/TLS also contained support for the weak EXPORT cyphers and was susceptible to the FREAK attack.

Versions affected:

  • All Mono versions available before March 6th, 2015.

Versions fixed:

Individual Patches for versions earlier than Mono 3.10:

  • Handshake fix: patch
  • Removal of EXPORT ciphers: patch

We also encourage developers to disable the SSLv2 fallback, patch for Mono:

Credits:

Moonlight RuntimeHelpers.InitializeArray on non-primitive value types

CVE: CVE-2011-0989

Missing validations on RuntimeHelpers.InitializeArray can allow untrusted code to modify internal structures leading to plugin crashes and possibly corrupting Moonlight’s security manager internal state.

Version affected:

  • Moonlight 2.x
  • Moonlight 3.x previews

Version fixed:

  • Moonlight 2.4.1
  • Moonlight 3.99 preview 3

Notes:

  • Moonlight 1.x does not execute managed code (i.e. does not include Mono) so it is not affected by this vulnerability.
  • The vulnerability is located in mono source code but can only be exploited (by untrusted applications) when used by Moonlight.

Credits:

Moonlight Race in Array.Copy “FastCopy” Internal Call

CVE: CVE-2011-0990

A race in the internal call implementing a fast-copy optimization for Array.Copy can allow untrusted code to modify internal structures leading to to plugin crashes and possibly corrupting Moonlight’s security manager internal state.

Version affected:

  • Moonlight 2.x
  • Moonlight 3.x previews

Version fixed:

  • Moonlight 2.4.1
  • Moonlight 3.99 preview 3

Notes:

  • Moonlight 1.x does not execute managed code (i.e. does not include Mono) so it is not affected by this vulnerability.
  • The vulnerability is located in mono source code but can only be exploited (by untrusted applications) when used by Moonlight.

Credits:

Moonlight DynamicMethod Resurrection

CVE: CVE-CVE-2011-0991

DynamicMethod instances could be finalized, freeing its data, then resurrected leading to use-after-free of their data.

Version affected:

  • Moonlight 2.x
  • Moonlight 3.x previews

Version fixed:

  • Moonlight 2.4.1
  • Moonlight 3.99 preview 3

Notes:

  • Moonlight 1.x does not execute managed code (i.e. does not include Mono) so it is not affected by this vulnerability.
  • The vulnerability is located in mono source code but can only be exploited (by untrusted applications) when used by Moonlight.

Credits:

Moonlight Improper Thread Finalization

CVE: CVE-2011-0992

Improper cleanup when freeing unmanaged MonoThread instances could allow the use, after being freed, of some member data if the managed instance is resurrected. This could crash the plugin or allow information disclosure.

Version affected:

  • Moonlight 2.x
  • Moonlight 3.x previews

Version fixed:

  • Moonlight 2.4.1
  • Moonlight 3.99 preview 3

Notes:

  • Moonlight 1.x does not execute managed code (i.e. does not include Mono) so it is not affected by this vulnerability.
  • The vulnerability is located in mono source code but can only be exploited (by untrusted applications) when used by Moonlight.

XSP/mod_mono source code disclosure

CVE: CVE-2010-4225

An unloading bug can, under some circumstances, let ASP.NET applications misbehave and return the source code (.aspx) of the application or any other file in the web application directory.

Version affected:

  • Mono / XSP / mod_mono 2.8.x

Version fixed:

  • Mono / XSP / mod_mono 2.8.2

Moonlight Generic Constraints Bypass Vulnerability

CVE: CVE-2010-4254

Some missing generic checks inside Mono can be exploited (e.g. mutate strings, run arbitrary code) by untrusted web (silverlight/moonlight) applications even if they are executed under a security manager (coreclr) that sandbox them.

Version affected:

  • Moonlight 2.x
  • Moonlight 3.x previews

Version fixed:

  • Moonlight 2.3.0.1
  • Moonlight 3 preview 10 (2.99.0.10)

Notes:

  • Moonlight 1.x does not execute managed code (i.e. does not include Mono) so it is not affected by this vulnerability.
  • The bug (and fix) is in mono source code but can only be exploited (by untrusted applications) when used by Moonlight.

mono-debugger Insecure Use of LD_LIBRARY_PATH

CVE: CVE-2010-3369

The mono debugger scripts (mdb and mdb-symbolreader) misuse the LD_LIBRARY_PATH environment variable (empty case) which could allow loading shared libraries from the current directory.

Version affected:

  • mono-debugger 2.4.x

Version fixed:

  • mono-debugger 2.8.1

Mono Runtime Insecure Native Library Loading

CVE: CVE-2010-4159

The Mono runtime can be tricked to load native libraries from the current working directory.

Version affected:

  • Mono 1.x and 2.x

Version fixed:

  • Mono 2.8.1

Note: this does not affect loading managed assemblies, only native libraries.

ASP.NET Padding Oracle

CVE: CVE-2010-3332

Mono ASP.NET implementation is vulnerable to the padding oracle attack, i.e. it leaks some details when invalid padding is being decrypted. However it is not possible to download the web.config file from the web server (and retrieve the keys or other data from it). The actual severity of attack depends on the web application.

Version affected:

  • Mono 1.x and 2.x

Version fixed:

  • Mono 2.8.1

References:

Libgdiplus Integer Overflow Vulnerabilities

CVE: CVE-2010-1526

Version affected:

  • libgdiplus 1.x and 2.x

Version fixed:

  • Mono 2.8

Notes:

  • Possible integer overflows, when opening untrusted BMP, JPEG or TIFF files, were fixed in order to avoid potential heap-based buffer overflow.
  • Credits: Stefan Cornelius, Secunia Research

ASP.NET View State Cross-Site Scripting

CVE: CVE-2010-1459

Version affected:

  • Mono 1.x and 2.x

Version fixed:

  • Mono 2.6.4

Notes:

  • Mono’s ASP.NET EnableViewStateMac default was FALSE (like ASP.NET 1.0) and configuration bugs made it impossible to set it to TRUE.
  • Credits: Web Security Research Group (WSRG) of Hewlett Packard (HP)

XML signature HMAC truncation authentication bypass

CVE: CVE-2009-0217

Version affected:

  • Mono 1.x and 2.x

Version fixed:

  • Mono 2.4.2.2

Notes:

Mono System.Web Header Injection Attack

CVE: CVE-2008-3906

Version affected

  • Mono 1.x

Version fixed:

  • Mono 2.0

Mono ASP.NET Cross-Site Scripting

CVE: CVE-2008-3422

Version affected

  • Mono 1.x

Version fixed:

  • Mono 2.0

BigInteger unsafe code overflow

CVE: CVE-2007-5197

Version affected

  • Mono 1.x

Version fixed:

  • Mono 1.2.5.1

Notes:

  • beware unsafe code

XSP source code disclosure [Windows]

CVE: CVE-2007-5473

Version affected

  • Mono 1.x running on Windows operating systems

Fixed in

  • Mono 1.2.5.2

Notes:

  • Mono’s System.Web.dll assembly didn’t consider, before version 1.2.5.2, some Win32-specific behavior affecting filenames ending with spaces or dots. Win32 operating systems ignores the trailing characters, even if the file-system supports them, and can access the similarly named files without reporting any error. This caused XSP to return ASP.NET source code, instead of rendered content, when executed with Mono under Windows

XSP/mod_mono source code disclosure 2

CVE: CVE-2006-6104

Version affected

  • Mono 1.1.13.x (and later 1.1.x versions)
  • Mono 1.2.x

Fixed in

  • Mono 1.2.2
  • Mono 1.1.13.8.2

Notes

  • The problem is exhibited in XSP and, in certain cases mod_mono (when configured with SetHandler) but the fix is in the Mono class libraries. To avoid any compatibility issues you should update both Mono and XSP/mod_mono to the same version.

Workaround

  • Use Apache/Mod_mono configured with AddHander.

Local privilege escalation via System.Xml.Serialization

CVE: CVE-2006-5072

Version affected

  • Mono 1.1.17 (and prior releases)

Fixed in

  • Mono 1.1.17.2
  • Mono 1.1.13.8.1

Workaround

  • Code generation for serialization can be turned off using export MONO_XMLSERIALIZER_THS=no prior to executing Mono applications

XSP/mod_mono directory traversal

CVE: CVE-2006-2658

Versions affected

  • mod_mono 1.1.14 (and prior releases)

Fixed in

  • XSP 1.1.15
  • XSP 1.1.13.7, 1.1.7.13
  • XSP 1.0.9.1, 1.0.6.1

Notes

  • Yes the affected/fixed products are confusing. The bug was in XSP but only exposed when using mod_mono. You should update both packages to avoid compatibility issues.

Mono ASP.NET Unicode Conversion Cross-Site Scripting

CVE: CVE-2005-0509

Versions affected

  • Mono 1.0.5 (and prior 1.0.x releases)
  • Mono 1.1.3 (and prior 1.1.x releases)

Fixed in

  • Mono 1.0.6
  • Mono 1.1.4

Notes

  • This vulnerability wasn’t fixed in MS ASP.NET implementation and could potentially lead into a small interoperability problem.