Summary
This host is missing a critical security update according to Microsoft Bulletin MS10-070.
Impact
Successful exploitation could allow remote attackers to decrypt and gain access to potentially sensitive data encrypted by the server or read data from arbitrary files within an ASP.NET application. Obtained information may aid in further attacks.
Impact Level: System/Application
Solution
Run Windows Update and update the listed hotfixes or download and update mentioned hotfixes in the advisory from the below link, http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx
Insight
The flaw is due to an error within ASP.NET in the handling of cryptographic padding when using encryption in CBC mode. This can be exploited to decrypt data via returned error codes from an affected server.
Affected
Microsoft ASP.NET 1.0
Microsoft ASP.NET 4.0
Microsoft ASP.NET 3.5.1
Microsoft ASP.NET 1.1 SP1 and prior
Microsoft ASP.NET 2.0 SP2 and prior
Microsoft ASP.NET 3.5 SP1 and prior
References
- http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
- http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx
- http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
- http://www.vupen.com/english/advisories/2010/2429
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2010-3332 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- Microsoft FrontPage Information Disclosure Vulnerability (2825621)
- Microsoft Windows Kernel Denial of Service Vulnerability (2556532)
- Microsoft Windows Kerberos Denial of Service Vulnerability (2743555)
- Microsoft Lync Server Remote Denial of Service Vulnerability (2990928)
- Microsoft Client/Server Run-time Subsystem Privilege Elevation Vulnerability (978037)