0

We had a third-party security audit on a legacy .NET Framework application. One of the findings indicated that our configuration related to the <startup> and <supportedRuntime> element in app.config represents a potential security risk. As disclosing this will cause attacker Target known vulnerabilities in those specific runtimes.

My app.config has a standard entry:

<configuration>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.7.2" />
  </startup>
</configuration>

Is there any way to remove this section?

Improve this question
4
  • 5
    Perhaps I am way out of step with the times, but this strikes me as a very strange finding. Configuration files generally contain all sorts of information about how an application operates-- that is sort of what they do. Is it possible this is just a false positive? Commented Aug 19 at 9:27
  • 5
    Shouldn't the third-party security audit provide modification suggestions? This file can be freely edited. Perhaps the finding just indicates that your are using a legacy .NETFramework version. Commented Aug 19 at 10:07
  • 2
    Seems like security by obscurity to me. Commented Aug 19 at 14:06
  • Yes, remove it. 99% it will just work without it. If it doesn't, just fix the issues (they'll be compile-time not run-time). Commented Aug 19 at 20:44

1 Answer 1

Reset to default
0

Not sure about the third party's audit verdict. But imp, you should verify their suggestion. Perhaps its not required at all. The configuration file should contain the runtime and other configuration related values.

However, if you insist deleting these from your config file, you can do so. But keep in mind that -

  • On .NET 4.0+ apps, it defaults to v4.0 runtime (then rolls forward to whatever 4.x is installed).

  • On .NET 2.0/3.5 apps, it defaults to v2.0 CLR.

This usually works fine unless your app was explicitly depending on a particular runtime behavior.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.