CVE-2024-28252: 
C# vulnerability analysis and mitigation

CoreWCF, a port of the service side of Windows Communication Foundation (WCF) to .NET Core, contains a vulnerability (CVE-2024-28252) that affects NetFraming based services. The vulnerability was discovered and disclosed on March 15, 2024, affecting versions 1.4.1 and 1.5.1 of CoreWCF.NetFramingBase (GitHub Advisory).

The vulnerability occurs in two scenarios: First, when a client establishes a connection to the service and sends no data, the service will wait indefinitely for the client to initiate the NetFraming session handshake. Second, when a client has established a session and doesn't send requests for the configured binding ReceiveTimeout period, the connection is not properly closed during session abortion. The affected bindings include NetTcpBinding, NetNamedPipeBinding, and UnixDomainSocketBinding, with NetTcpBinding being the only one capable of accepting non-local connections. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability can lead to excessive consumption of system resources due to connections being left established instead of being properly closed or aborted. This primarily affects the availability of the system, as indicated by the CVSS metrics showing high impact on availability while having no direct impact on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in versions 1.4.2 and 1.5.2 of the CoreWCF packages. Users are strongly advised to upgrade to these patched versions as there are no alternative workarounds available (GitHub Advisory).