VRDA Feed by JPCERT/CC
  Vulnerability Response Decision Assistance Feed : Information for vulnerability impact analysis
[ about VRDA Feed | JPCERT/CC



 
Vulnerability Analysis Result (Revision No : 1) [ Download XML
CVE-2010-3332
.net_framework: Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2,...
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3332

Original

Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack.

Translation   (Show)





About This Analysis Information
Analysis Information Provider:
NIST NVD
First Published:
2010-09-22
Source Information Category:
Advisory, Alert
Last Updated:
2010-09-22




Affected Product Tags
cpe:/a:microsoft:.net_framework:1.0:sp3
cpe:/a:microsoft:.net_framework:1.1:sp1
cpe:/a:microsoft:.net_framework:2.0:sp2
cpe:/a:microsoft:.net_framework:3.5
cpe:/a:microsoft:.net_framework:3.5.1
cpe:/a:microsoft:.net_framework:3.5:sp1
cpe:/a:microsoft:.net_framework:4.0
 


Vulnerability Analysis Results
[Access Vector]  [?]
Undefined [?]

Local [?]
Adjacent Network [?]
X Network [?]
[Access Complexit]  [?]
Undefined [?]

High [?]
Medium [?]
X Low [?]
[Authentication]  [?]
Undefined [?]

Multiple [?]
Single [?]
X None [?]
[Confidentiality Impact]  [?]
Undefined [?]

None [?]
X Partial [?]
Complete [?]
[Integrity Impact]  [?]
Undefined [?]

X None [?]
Partial [?]
Complete [?]
[Availability Impact]  [?]
Undefined [?]

X None [?]
Partial [?]
Complete [?]
Alternatives




References
BID 43316




CONFIRM http://www.microsoft.com/technet/security/advisory/2416728.mspx




CONFIRM http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx




CONFIRM http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx




MISC http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html




MISC http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security




MISC http://www.ekoparty.org/juliano-rizzo-2010.php




MISC http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx




MISC http://twitter.com/thaidn/statuses/24832350146




MISC http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310




MISC http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/




MISC http://isc.sans.edu/diary.html?storyid=9568




SECTRACK 1024459




SECUNIA 41409




VUPEN ADV-2010-2429




Vulnerability Type Cryptographic Issues (CWE-310)




XF ms-aspdotnet-padding-info-disclosure(61898)




Copyright © 2010 JPCERT/CC All Rights Reserved.