| Bulletin Identifier |
Microsoft Security Bulletin MS11-100 |
| Bulletin Title |
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420) |
| Executive Summary |
This
security update resolves one publicly disclosed vulnerability and three
privately reported vulnerabilities in Microsoft .NET Framework. The
most severe of these vulnerabilities could allow elevation of privilege
if an unauthenticated attacker sends a specially crafted web request to
the target site. An attacker who successfully exploited this
vulnerability could take any action in the context of an existing
account on the ASP.NET site, including executing arbitrary commands.
The security update addresses the vulnerabilities by correcting the
manner in which the .NET Framework handles specially crafted requests,
and the manner in which the ASP.NET Framework authenticates users and handles cached content.
This security update also addresses the vulnerability first described in Microsoft Security Advisory 2659883.
|
| Affected Software |
This
security update is rated Critical for Microsoft .NET Framework 1.1
Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft
.NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and
Microsoft .NET Framework 4 on all supported editions of Microsoft
Windows. |
| CVE, Exploitability Index Rating |
| • |
CVE-2011-3414: Collisions in Hash Table May Cause DoS Vulnerability (EI = 3) |
| • |
CVE-2011-3415: Insecure Redirect in .NET Forms Authentication Vulnerability
(EI = NA) |
| • |
CVE-2011-3416: ASP.NET Forms Authentication Bypass Vulnerability (EI = 1) |
| • |
CVE-2011-3417: ASP.NET Forms Authentication Ticket Caching Vulnerability (EI = 2) |
|
| Attack Vectors |
| • |
An unauthenticated attacker could send a small number of specially crafted ASP.NET requests to an affected ASP.NET site, causing a denial of service condition. (CVE-2011-3414) |
| • |
An
attacker could create a specially crafted URL and convince a user to
click it. After the user logs on to an expected website, the attacker
then redirects the user to a website controlled by the attacker. Once
there, the attacker could convince the user to divulge information
otherwise intended to remain private. (CVE-2011-3415) |
| • |
An
unauthenticated attacker would need to obtain a valid account name to
the site. The attacker could then craft a special web request using a
previously registered account name to gain access to that account.
(CVE-2011-3416) |
| • |
An
attacker could exploit the vulnerability by sending a specially crafted
link to the user and convincing the user to click the link.
(CVE-2011-3417) |
|
| Mitigating Factors |
| CVE-2011-3414 (Collisions in Hash Tables May Cause DoS Vulnerability) |
| • |
By default, IIS is not enabled on any Windows operating system. |
| • |
Sites that disallow "application/x-www-form-urlencoded" or "multipart/form-data" HTTP content types are not vulnerable.
|
|
| CVE-2011-3415 (for Insecure Redirect in .NET Form Authentication Vulnerability) |
| • |
This
vulnerability would not allow an attacker to execute code or to elevate
their user rights directly, but it could be used to produce information
that could be used to try to further compromise user information. |
| • |
By default, installing ASP.NET does not enable Forms Authentication. It has to be explicitly configured per-application to be enabled. |
| • |
IIS is not installed by default. |
| • |
By default, ASP.NET is not installed when .NET Framework is installed. Only customers who manually install and enable ASP.NET are likely to be vulnerable to this issue. |
| • |
The attacker would have to convince the user to click a link in order to exploit the vulnerability.
|
|
| CVE-2011-3416 (Forms Authentication Bypass Vulnerability) |
| • |
An attacker must be able to register an account on the ASP.NET application, and must know an existing user name. |
| • |
By default, installing ASP.NET does not enable Forms Authentication. It has to be explicitly configured per-application to be enabled. |
| • |
IIS is not installed by default. |
| • |
By default, ASP.NET is not installed when .NET is installed. Only customers who manually install and enable ASP.NET are likely to be vulnerable to this issue.
|
|
| CVE-2011-3417 (Forms Authentication Ticket Caching Vulnerability) |
| • |
By default, ASP.NET
responses are not cached by the OutputCache. The developer of the site
has to opt-in to output caching via the OutputCache directive on a page. |
| • |
An
attacker who successfully exploited this vulnerability could gain the
same user rights as the target user. Users whose accounts are configured
to have fewer user rights on the system could be less impacted than
users who operate with administrative user rights. |
| • |
By
default, IIS is not installed on any affected operating system version.
Only customers who manually install this are likely to be vulnerable to
this issue. |
| • |
By default, ASP.NET is not installed when .NET is installed. Only customers who manually install and enable ASP.NET are likely to be vulnerable to this issue. |
|
|
| Restart Requirement |
This update may require a restart. |
| Bulletins Replaced by This Update |
MS10-070 and MS11-078. |
Publicly Disclosed?
Exploited?
|
CVE-2011-3414
(Collisions in Hash Tables May Cause Denial of Service Vulnerability)
was publicly disclosed prior to release. The other three vulnerabilities
were private.
At this time we are not aware of any exploits in the wild for any of these vulnerabilities.
|
| Full Details |
http://technet.microsoft.com/security/bulletin/MS11-100 |
No comments:
Post a Comment