CVE-2024-21392 Overview
CVE-2024-21392 is a denial of service vulnerability affecting Microsoft .NET, PowerShell, and Visual Studio 2022. The flaw is categorized under [CWE-400] uncontrolled resource consumption. A remote, unauthenticated attacker can send crafted network traffic to a vulnerable application to exhaust resources and cause service unavailability. Microsoft published guidance through the Microsoft Security Update CVE-2024-21392 on March 12, 2024. The vulnerability impacts availability only, with no confidentiality or integrity impact.
Critical Impact
Unauthenticated network attackers can trigger resource exhaustion in .NET, PowerShell, and Visual Studio 2022 processes, leading to service downtime for affected applications.
Affected Products
- Microsoft .NET
- Microsoft PowerShell (including 7.4)
- Microsoft Visual Studio 2022
Discovery Timeline
- 2024-03-12 - Microsoft releases security advisory and patch
- 2024-03-12 - CVE-2024-21392 published to NVD
- 2024-11-29 - Last updated in NVD database
Technical Details for CVE-2024-21392
Vulnerability Analysis
The vulnerability is a denial of service condition in the Microsoft .NET runtime, with downstream impact on PowerShell (which runs on .NET) and Visual Studio 2022 (which embeds .NET). An attacker reaches the vulnerable code path over the network without authentication or user interaction. Successful exploitation exhausts process resources, terminates the target application, or makes it unresponsive. The Exploit Prediction Scoring System (EPSS) places this CVE at the 74th percentile, indicating moderate likelihood of exploitation activity relative to other CVEs.
Root Cause
The underlying weakness is uncontrolled resource consumption ([CWE-400]). The affected .NET code paths fail to enforce limits on memory, CPU time, or other finite resources when processing attacker-supplied input. Microsoft has not disclosed the specific component or parser at fault. Refer to the Microsoft Security Update CVE-2024-21392 for vendor-supplied technical context.
Attack Vector
Exploitation occurs over the network with low complexity and requires no privileges. Any .NET-based service or application that exposes a listener processing untrusted input is a candidate target. This includes ASP.NET applications, PowerShell remoting endpoints, and developer services bound to network interfaces. No public proof-of-concept code or exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
No verified code examples are available for this vulnerability. See the vendor advisory for technical specifics.
Detection Methods for CVE-2024-21392
Indicators of Compromise
- Unexplained spikes in CPU or memory consumption by dotnet.exe, pwsh.exe, powershell.exe, or devenv.exe processes.
- Repeated application crashes or unresponsiveness on hosts running .NET workloads, ASP.NET sites, or PowerShell remoting endpoints.
- Anomalous inbound network connections to .NET service ports immediately preceding service failure.
Detection Strategies
- Correlate Windows Event Log entries for .NET runtime exceptions and application restarts with concurrent inbound network flows.
- Monitor performance counters for # of Exceps Thrown / sec, working set growth, and thread pool starvation on .NET hosts.
- Track availability and crash telemetry for IIS application pools and PowerShell remoting sessions.
Monitoring Recommendations
- Establish baselines for resource consumption on Visual Studio build agents and .NET application servers to surface deviations.
- Forward .NET Runtime and Application Error event channels to a central SIEM for correlation.
- Alert on repeated process termination of pwsh.exe or worker processes within short time windows from a single remote source.
How to Mitigate CVE-2024-21392
Immediate Actions Required
- Apply the Microsoft security updates for .NET, PowerShell, and Visual Studio 2022 referenced in the Microsoft Security Update CVE-2024-21392 advisory.
- Inventory all hosts running affected .NET runtime versions and prioritize internet-facing services for patching.
- Restart updated applications and IIS worker processes to ensure the patched runtime is loaded.
Patch Information
Microsoft released patches on March 12, 2024 as part of its monthly security update cycle. Updates are distributed through Windows Update, the Microsoft Update Catalog, and Visual Studio Installer. PowerShell 7.4 users should update to the patched release through GitHub or the standard installer. Consult the Microsoft Security Update CVE-2024-21392 advisory for the precise build numbers applicable to each product channel.
Workarounds
- Restrict network exposure of .NET-based services using host firewalls, network ACLs, or reverse proxies that enforce request rate limits.
- Disable PowerShell remoting on systems where it is not required using Disable-PSRemoting.
- Place rate limiting and request size limits in front of ASP.NET endpoints until patches are applied.
# Configuration example
# Verify installed .NET runtime versions
dotnet --list-runtimes
# Disable PowerShell remoting where not required
Disable-PSRemoting -Force
# Restrict inbound access to a .NET service port (example: 5985 WinRM)
New-NetFirewallRule -DisplayName "Restrict WinRM" -Direction Inbound -Protocol TCP -LocalPort 5985 -RemoteAddress 10.0.0.0/8 -Action Allow
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
