Missing Authentication for Critical Function Affecting corewcf.unixdomainsocket package, versions [1.5.0-preview1,1.8.1)[1.9.0, 1.9.1)

CoreWCF.UnixDomainSocket is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. The goal of this project is to enable existing WCF services to move to .NET Core.

Affected versions of this package are vulnerable to Missing Authentication for Critical Function through the UnixPosixIdentitySecurityUpgradeAcceptor in the Unix domain socket transport. An attacker can make a stream upgrade appear to have negotiated remote identity by connecting through a Unix domain socket endpoint without a real security upgrade. The acceptor eagerly initialized _remoteSecurity to a non-null SecurityMessageProperty, which broke the framing pipeline’s null check for skipped stream upgrades. As a result, server code could treat an unauthenticated connection as carrying a remote security identity, allowing requests to proceed without the expected negotiated identity and undermining access control in Unix domain socket deployments.

Notes

• Only deployments using UnixDomainSocketBinding with Security.Mode = TransportCredentialOnly and Security.Transport.ClientCredentialType = PosixIdentity are in scope; the bypass is tied to the Unix domain socket transport path rather than the general WCF framing stack.
• The service-side decision point is the framing pipeline’s remote-identity check, so authorization that relies on ServiceSecurityContext.PrimaryIdentity can be affected even when the client never performs the application/unixposix upgrade.

• GitHub Commit
• GitHub Commit
• Maintainer's Advisory