CVE-2023-36049: Microsoft .NET CRLF Injection Arbitrary File Write/Deletion Vulnerability

A remote command execution vulnerability has been identified in the Microsoft .NET Framework and Visual Studio, which is caused by improper validation of FTP command parameters and FTP URI requests. This vulnerability allows a remote attacker to write or delete files in the context of the FTP server by sending malicious requests. The .NET Framework implements a class FtpControlStream to handle basic FTP control connections, but it fails to validate if the parameters include CRLF characters. Similarly, the FtpWebRequest function fails to validate if the URI argument contains CRLF characters. The attack vector depends on how the vulnerable .NET functions are used in FTP applications. To detect an attack exploiting this vulnerability, detection devices must monitor and parse all FTP traffic and inspect for multiple FTP commands sent in one packet. Microsoft addressed this vulnerability by releasing a patch in November, which has been revised multiple times to include PowerShell versions 7.2, 7.3, and 7.4 as affected platforms. It is recommended to apply the vendor fix to fully resolve this vulnerability.