CVE-2026-54784: 
C# Analyse et atténuation des vulnérabilités

CVE-2026-54784 is a cryptographic flaw in CoreWCF (the open-source .NET implementation of WCF) where the SPNEGO SecurityContextToken (SCT) proof key is wrapped without confidentiality protection, allowing a network observer to recover the proof key and impersonate the authenticated Windows principal. It affects CoreWCF.Primitives NuGet package version 1.9.0 only (versions >= 1.9.0, < 1.9.1). The vulnerability was published on June 16, 2026, and added to the GitHub Advisory Database on June 19, 2026. It carries a CVSS v3.1 base score of 7.4 (High) (GitHub Advisory, CoreWCF Advisory).

The root cause is classified under CWE-311 (Missing Encryption of Sensitive Data) and CWE-523 (Unprotected Transport of Credentials). During WS-SecureConversation session establishment using SPNEGO with TransportWithMessageCredential security mode and Windows client credentials, the proof key included in the RequestSecurityTokenResponse (RSTR) is not wrapped with confidentiality protection. This means any network-positioned party capable of observing the SCT negotiation handshake can extract the proof key from the RSTR message. With the recovered proof key, the attacker can derive the same session keys as the legitimate client, enabling impersonation of the authenticated Windows principal for the full SCT lifetime (default approximately 10 hours) (GitHub Advisory, CoreWCF Advisory).

A successful attacker who observes the SCT negotiation handshake can impersonate the authenticated Windows principal for up to ~10 hours (the default SCT lifetime), and can decrypt or forge any subsequent WS-SecureConversation traffic that uses keys derived from the compromised SCT. This results in high confidentiality and high integrity impact — sensitive service messages can be read and tampered with — though availability is not directly affected. Services relying on Windows authentication for access control decisions are at risk of unauthorized access and data manipulation for the duration of the compromised session (GitHub Advisory).

1. Reconnaissance: Identify CoreWCF-based services exposed on the network that use TransportWithMessageCredential security mode with Windows client credentials and WS-SecureConversation session establishment (version 1.9.0 of CoreWCF.Primitives).
2. Network Positioning: Position to observe network traffic between the client and the CoreWCF service — this could be achieved via ARP spoofing, rogue network device, or access to an unencrypted network segment (e.g., absence of SSL/TLS on the transport).
3. Capture SCT Negotiation: Intercept the WS-SecureConversation handshake, specifically the RequestSecurityTokenResponse (RSTR) message exchanged during session establishment.
4. Extract Proof Key: Parse the RSTR message to recover the unprotected proof key, which is transmitted without confidentiality wrapping due to the vulnerability.
5. Derive Session Keys: Use the recovered proof key to derive the same WS-SecureConversation session keys as the legitimate client.
6. Impersonate and Decrypt/Forge: For the duration of the SCT lifetime (~10 hours by default), impersonate the authenticated Windows principal to decrypt intercepted WS-SecureConversation messages or forge new ones accepted by the service (GitHub Advisory).

• Network: Unexpected or duplicate WS-SecureConversation session establishment requests from IP addresses not matching the legitimate client; network captures showing RSTR messages transmitted over unencrypted channels.
• Logs: Service-side logs showing authenticated requests from a Windows principal originating from unexpected source IP addresses or client identifiers during an active SCT session; multiple concurrent sessions for the same Windows principal from different endpoints.
• Application: Anomalous WCF service activity attributed to a Windows account during off-hours or from unusual network locations, potentially indicating session impersonation (GitHub Advisory).

The primary fix is to upgrade CoreWCF.Primitives to version 1.9.1, which correctly wraps the SCT proof key with confidentiality protection (GitHub Advisory, CoreWCF Advisory). As an immediate workaround for deployments that cannot upgrade immediately, ensure all communication between clients and the CoreWCF service is protected by SSL/TLS at the transport layer, which prevents a network observer from capturing the SCT negotiation handshake and recovering the proof key. Organizations should audit their CoreWCF service configurations for use of TransportWithMessageCredential with Windows credentials and prioritize patching those deployments.