We are concerned about the following with regards to .net being installed on out MDM relay servers:

TEN-58601

 According to the HTTP headers received from the remote host, the web server is configured to use the ASP.NET framework.

 This framework includes the ValidateRequest feature, which is used by ASP.NET web applications to filter user input in an attempt to prevent cross-site scripting attacks.  However, this set of filters can be bypassed if it is the sole mechanism used for protection by a web application.

TEN-64589

The web server running on the remote host appears to be using Microsoft ASP.NET and may be affected by a denial-of-service vulnerability. Requesting a URL containing an MS-DOS device name can cause the web server to become temporarily unresponsive.  An attacker could repeatedly request these URLs, resulting in a denial of service.

Version: 20.2
Component: Relay Server

The Relay Server is configured to use the ASP.NET for some of its features.

Even though the ASP.NET is configured in IIS Server by Relay Server, the usage is different in the current context. Since the Relay Server and its backend MDM Servers are not actually a Web Server and hence MDM server is not processing any SQL queries through the Relay Servers, we do not see that a DDOS attack is possible through the setup.

The http payload received by Relay Server from MDM Client is actually binary data and no SQL queries present in them. The binary data is proprietary to MDM applications.