Windows : Microsoft Bulletins : Microsoft ASP.NET Information Disclosure Vulnerability (2418042)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.901161

Categoría: Windows : Microsoft Bulletins

Título: Microsoft ASP.NET Information Disclosure Vulnerability (2418042)

Resumen: This host is missing a critical security update according to; Microsoft Bulletin MS10-070.

Descripción: Summary:
This host is missing a critical security update according to
Microsoft Bulletin MS10-070.

Vulnerability Insight:
The flaw is due to an error within ASP.NET in the handling of
cryptographic padding when using encryption in CBC mode. This can be
exploited to decrypt data via returned error codes from an affected server.

Vulnerability Impact:
Successful exploitation could allow remote attackers to decrypt and gain
access to potentially sensitive data encrypted by the server or read data from arbitrary
files within an ASP.NET application. Obtained information may aid in further attacks.

Affected Software/OS:
- Microsoft ASP.NET 1.0

- Microsoft ASP.NET 4.0

- Microsoft ASP.NET 3.5.1

- Microsoft ASP.NET 1.1 SP1 and prior

- Microsoft ASP.NET 2.0 SP2 and prior

- Microsoft ASP.NET 3.5 SP1 and prior

Solution:
The vendor has released updates. Please see the references for more information.

CVSS Score:
6.4

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2010-3332
BugTraq ID: 43316
http://www.securityfocus.com/bid/43316
http://isc.sans.edu/diary.html?storyid=9568
http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/
http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310
http://twitter.com/thaidn/statuses/24832350146
http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx
http://www.ekoparty.org/juliano-rizzo-2010.php
http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security
http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
Microsoft Security Bulletin: MS10-070
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12365
http://securitytracker.com/id?1024459
http://secunia.com/advisories/41409
http://www.vupen.com/english/advisories/2010/2429
http://www.vupen.com/english/advisories/2010/2751
XForce ISS Database: ms-aspdotnet-padding-info-disclosure(61898)
https://exchange.xforce.ibmcloud.com/vulnerabilities/61898

Copyright Copyright (C) 2010 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.901161
Categoría:	Windows : Microsoft Bulletins
Título:	Microsoft ASP.NET Information Disclosure Vulnerability (2418042)
Resumen:	This host is missing a critical security update according to; Microsoft Bulletin MS10-070.
Descripción:	Summary: This host is missing a critical security update according to Microsoft Bulletin MS10-070. Vulnerability Insight: The flaw is due to an error within ASP.NET in the handling of cryptographic padding when using encryption in CBC mode. This can be exploited to decrypt data via returned error codes from an affected server. Vulnerability Impact: Successful exploitation could allow remote attackers to decrypt and gain access to potentially sensitive data encrypted by the server or read data from arbitrary files within an ASP.NET application. Obtained information may aid in further attacks. Affected Software/OS: - Microsoft ASP.NET 1.0 - Microsoft ASP.NET 4.0 - Microsoft ASP.NET 3.5.1 - Microsoft ASP.NET 1.1 SP1 and prior - Microsoft ASP.NET 2.0 SP2 and prior - Microsoft ASP.NET 3.5 SP1 and prior Solution: The vendor has released updates. Please see the references for more information. CVSS Score: 6.4 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2010-3332 BugTraq ID: 43316 http://www.securityfocus.com/bid/43316 http://isc.sans.edu/diary.html?storyid=9568 http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/ http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310 http://twitter.com/thaidn/statuses/24832350146 http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx http://www.ekoparty.org/juliano-rizzo-2010.php http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html Microsoft Security Bulletin: MS10-070 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12365 http://securitytracker.com/id?1024459 http://secunia.com/advisories/41409 http://www.vupen.com/english/advisories/2010/2429 http://www.vupen.com/english/advisories/2010/2751 XForce ISS Database: ms-aspdotnet-padding-info-disclosure(61898) https://exchange.xforce.ibmcloud.com/vulnerabilities/61898
Copyright	Copyright (C) 2010 Greenbone AG