KB5028608 Change in how .NET Framework runtime imports X.509 Certificates

Note

Release Date:
June 22, 2022

[07/04/2023] revised to include missing versions for Windows 10, version 1607 and 1507

[07/24/2023] revised to add release details for July 11, 2023 Security and Quality Rollup resolution

Summary

This article provides help to mitigate an issue when after installing the June 13, 2023, updates for .NET Framework and .NET, users may experience issues with how .NET Framework runtime imports X.509 Certificates.

Symptom

When using the X509Certificate, X509Certificate2, or X509Certificate2Collection class to import a PKCS#12 blob containing a private key, the calling application may observe the below exception.

  • System.Security.Cryptography.CryptographicException: PKCS12 (PFX) without a supplied password has exceeded maximum allowed iterations. See https:⁠//go.microsoft.com/fwlink/?linkid=2233907 for more information.

This failure affects PKCS#12 blobs which have been exported [e.g., via X509Certificate.Export(X509ContentType.Pfx)] without a password. The failure may occur non-deterministically.

Workaround

Microsoft has released updated installers for .NET Framework and .NET to address this issue. These installers can be applied to the affected machine regardless of whether the machine has already applied the original June 13, 2023, .NET Framework and .NET security updates.

Important

  • If you previously used the registry switches documented at KB5025823 Change in how .NET applications import X.509 certificates to work around this issue, please remove those registry switches before installing the new patch. Run the two commands below from an elevated command prompt to remove the registry switches.
  • reg delete "HKLM\Software\Microsoft\.NETFramework" /v Pkcs12UnspecifiedPasswordIterationLimit /reg:32
  • reg delete "HKLM\Software\Microsoft\.NETFramework" /v Pkcs12UnspecifiedPasswordIterationLimit /reg:64

Resolution

This issue was addressed in out-of-band updates released June 22, 2023, for .NET Framework 4.6.2 and newer versions for Windows and Windows Server versions affected by this issue. To get the standalone package for these out-of-band updates, search for the KB number in the Microsoft Update Catalog. You can manually import these updates into Windows Server Update Services (WSUS) and Microsoft Endpoint Configuration Manager. For WSUS instructions, see WSUS and the Catalog Site. For Configuration Manger instructions, see Import updates from the Microsoft Update Catalog.

If you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them. To remove workaround review the workaround or alternative workaround which was applied for instructions.

Product Version Update
Windows 11, version 22H2
.NET Framework 4.8.1 Catalog 5028576
Windows 11, version 21H2
.NET Framework 4.8 Catalog 5028582
.NET Framework 4.8.1 Catalog 5028575
Windows Server 2022
.NET Framework 4.8 Catalog 5028584
.NET Framework 4.8.1 Catalog 5028578
Azure Stack HCI, version 22H2
.NET Framework 4.8 Catalog 5028584
Azure Stack HCI, version 21H2
.NET Framework 4.8 Catalog 5028584
Windows 10 Version 22H2
.NET Framework 4.8 Catalog 5028579
.NET Framework 4.8.1 Catalog 5028574
Windows 10 Version 21H2
.NET Framework 4.8 Catalog 5028579
.NET Framework 4.8.1 Catalog 5028574
Windows 10 1809 (October 2018 Update) and Windows Server 2019
.NET Framework 4.7.2 Catalog 5028588
.NET Framework 4.8 Catalog 5028581
Windows 10 1607 (Anniversary Update) and Windows Server 2016
.NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 Catalog 5028623
.NET Framework 4.8 Catalog 5028580
Windows 10 1507
.NET Framework 4.6, 4.6.2 Catalog 5028622
Windows Embedded 8.1 and Windows Server 2012 R2
.NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 Catalog 5028590
.NET Framework 4.8 Catalog 5028585
Windows Embedded 8 and Windows Server 2012
.NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 Catalog 5028589
.NET Framework 4.8 Catalog 5028583
Windows Embedded 7 Standard and Windows Server 2008 R2 SP1
.NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 Catalog 5028591
.NET Framework 4.8 Catalog 5028586
all supported Windows versions
.NET 6.0.19 Catalog 5028613
.NET 7.0.8 Catalog 5028614

This issue was addressed in regular cumulative rollup released July 11, 2023, for all supported .NET Framework versions for Windows and Windows Server versions affected by this issue.  The Security and Quality Rollup is available via Windows Update, Windows Server Update Services, and Microsoft Update Catalog.

Note: Customers that rely on Windows Update and Windows Server Update Services will automatically receive the .NET Framework version-specific updates. Advanced system administrators can also take use of the below direct Microsoft Update Catalog download links to .NET Framework-specific updates. Before applying these updates, please ensure that you carefully review the .NET Framework version applicability, to ensure that you only install updates on systems where they apply.

If you used any workaround or mitigations for this issue, they are no longer needed, and we recommend you remove them. To remove workaround review the workaround or alternative workaround which was applied for instructions.

Product Version Update
Windows 11, version 22H2
.NET Framework 3.5, 4.8.1 Catalog 5028851
Windows 11, version 21H2
.NET Framework 3.5, 4.8 Catalog 5028856
.NET Framework 3.5, 4.8.1 Catalog 5028850
Windows Server 2022
.NET Framework 3.5, 4.8 Catalog 5028858
.NET Framework 3.5, 4.8.1 Catalog 5028852
Azure Stack HCI, version 22H2 5028935
.NET Framework 3.5, 4.8 Catalog 5028858
Azure Stack HCI, version 21H2 5028943
.NET Framework 3.5, 4.8 Catalog 5028858
Windows 10 Version 22H2 5028937
.NET Framework 3.5, 4.8 Catalog 5028853
.NET Framework 3.5, 4.8.1 Catalog 5028849
Windows 10 Version 21H2 5028944
.NET Framework 3.5, 4.8 Catalog 5028853
.NET Framework 3.5, 4.8.1 Catalog 5028849
Windows 10 1809 (October 2018 Update) and Windows Server 2019 5028936
.NET Framework 3.5, 4.7.2 Catalog 5028862
.NET Framework 3.5, 4.8 Catalog 5028855
Windows 10 1607 (Anniversary Update) and Windows Server 2016
.NET Framework 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2 Catalog 5028169
.NET Framework 4.8 Catalog 5028854
Windows 10 1507
.NET Framework 3.5, 4.6, 4.6.2 Catalog 5028186
Windows Embedded 8.1 and Windows Server 2012 R2 5028941
.NET Framework 3.5 Catalog 5028872
.NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 Catalog 5028864
.NET Framework 4.8 Catalog 5028859
Windows Embedded 8 and Windows Server 2012 5028940
.NET Framework 3.5 Catalog 5028869
.NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 Catalog 5028863
.NET Framework 4.8 Catalog 5028857
Windows Embedded 7 Standard and Windows Server 2008 R2 SP1 5028939
.NET Framework 3.5.1 Catalog 5028871
.NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2 Catalog 5028865
.NET Framework 4.8 Catalog 5028860
Windows Server 2008 SP2 5028942
.NET Framework 2.0, 3.0 Catalog 5028870
.NET Framework 4.6.2 Catalog 5028865

Affected updates

The following .NET Framework and .NET versions are affected:

  • .NET Framework 4.6.2, 4.7, 4.7.1, 4.7.2, when the June 13, 2022, security update is installed.
  • .NET Framework 4.8, when the June 13, 2022, security update is installed.
  • .NET Framework 4.8.1, when the June 13, 2022, security update is installed.
  • .NET 6.0.18.
  • .NET 7.0.7.

Frequently Asked Questions (FAQs)

When was this change introduced?

This change in behavior was introduced in the June 13, 2022, security updates for .NET and .NET Framework.

Is it necessary for me to install this new update?

Installing this new update is necessary only if your application is experiencing the issue described in the "Symptom" heading at the top of this article. If you are not experiencing this issue, there is no need for you to install this update.

Does this new update replace the June 13, 2023, .NET Framework update?

No. If you are using .NET Framework, you should first install the June 13, 2023 rollup or security-only updates before installing the new June 22, 2023 update.

Does this new update replace .NET 6.0.18 or .NET 7.0.7?

Yes. As part of this update, we are also releasing .NET 6.0.19 and .NET 7.0.8, both of which can be downloaded from https:⁠//get.dot.net/. These releases are intended to replace .NET 6.0.18 and .NET 7.0.7, which were released on June 13, 2023.

The only difference between .NET 6.0.19 / 7.0.8 and .NET 6.0.18 / 7.0.7 is the compatibility fix mentioned above. .NET 6.0.19 / 7.0.8 do not carry any additional security fixes beyond what was already published in .NET 6.0.18 / 7.0.7.

Information about protection and security