Trust must be established prior to enabling the loading of remote code in .Net 4.

From Microsoft DotNet Framework 4.0 STIG

Part of APPNET0065 Load From Remote Sources

Associated with IA controls: DCFA-1, DCSL-1

SV-41010r1_rule Trust must be established prior to enabling the loading of remote code in .Net 4.

Vulnerability discussion

In the .NET Framework version 3.5 and earlier versions, if an application assembly loaded code/objects from a remote location, that assembly would run partially trusted with a permissions grant set that depended on the zone in which it was loaded. For example, if an assembly was loaded from a web site, it was loaded into the Internet zone and granted the Internet permission set. In other words, it was executed in an Internet sandbox.If the same program is run in the .NET Framework version 4, an exception is thrown which effectively states; either explicitly create a sandbox for the assembly or run it in full trust.The <loadFromRemoteSources> element specifies the assemblies that run partially trusted in earlier versions of the .NET Framework will be run fully trusted in the .NET Framework 4.If loadFromRemoteSources is set to true, the remotely loaded application code is granted full trust. This could create an integrity vulnerability on the system. The required method to address this is to explicitly create a sandboxed environment for the remotely loaded code to run in rather than allowing remotely loaded code to run with full trust.The appropriate level of trust must be established prior to enabling the loading of remote code in .Net 4 applications and that code must be run in a controlled environment. The following is an example of the use of loadFromRemoteSources.<configuration><runtime> <loadFromRemoteSources enabled="true" "https://my.dodorg.gov" /> <loadFromRemoteSources enabled="true" "https://192.168.0.*" /> <loadFromRemoteSources enabled="false" "*" /></runtime></configuration>

Check content

Open Windows explorer and search for *.exe.config. Search each config file found for the "loadFromRemoteSources" element. If the loadFromRemoteSources element is enabled ("loadFromRemoteSources enabled = true"), and the remotely loaded application is not run in a sandboxed environment, or if OS based software controls, such as AppLocker or Software Security Policies, are not utilized, this is a finding.

Fix text

.Net application code loaded from a remote source must be run in a controlled environment. A controlled environment consists of a sandbox, such as running in an Internet Explorer host environment or employing OS based software access controls, such as AppLocker or Software Security Policies, when application design permits. Obtain documented IAO approvals for all remotely loaded code.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer