copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » Security Bul... » AusCERT Exte... » ESB-2012.0013.2 - UPDATE ALERT [Win] Microsoft .NET ...
 

ESB-2012.0013.2 - UPDATE ALERT [Win] Microsoft .NET Framework: Multiple vulnerabilities
Date: 03 January 2012
References: ESB-2012.0012  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2012.0013.2
   Vulnerabilities in .NET Framework Could Allow Elevation of Privilege
                              3 January 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Microsoft .NET Framework
Publisher:         Microsoft
Operating System:  Windows XP
                   Windows Server 2003
                   Windows Vista
                   Windows Server 2008
                   Windows Server 2008 R2
                   Windows 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Increased Privileges            -- Existing Account            
                   Denial of Service               -- Remote/Unauthenticated      
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-3417 CVE-2011-3416 CVE-2011-3415
                   CVE-2011-3414  

Reference:         ESB-2012.0012

Original Bulletin: 
   http://technet.microsoft.com/en-us/security/bulletin/ms11-100.mspx

Comment: Microsoft have released an out-of-band bulletin addressing a number
         of vulnerabilities within the .NET Framework.

Revision History:  January 3 2012: Correction of "out of bounds" to "out-of-band" in comment section
                   January 3 2012: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

Microsoft Security Bulletin MS11-100 - Critical

Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)

Published: Thursday, December 29, 2011 | Updated: Friday, December 30, 2011

Version: 1.1

General Information

Executive Summary

This security update resolves one publicly disclosed vulnerability and three
privately reported vulnerabilities in Microsoft .NET Framework. The most severe
of these vulnerabilities could allow elevation of privilege if an
unauthenticated attacker sends a specially crafted web request to the target
site. An attacker who successfully exploited this vulnerability could take any
action in the context of an existing account on the ASP.NET site, including
executing arbitrary commands. In order to exploit this vulnerability, an
attacker must be able to register an account on the ASP.NET site, and must know
an existing user name.

This security update is rated Critical for Microsoft .NET Framework 1.1 Service
Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework
3.5 Service Pack 1, Microsoft .NET Framework 3.5.1, and Microsoft .NET
Framework 4 on all supported editions of Microsoft Windows. For more
information, see the subsection, Affected and Non-Affected Software, in this
section.

Affected Software

Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5 Service Pack 1
Microsoft .NET Framework 4[1]

[1].NET Framework 4 and .NET Framework 4 Client Profile affected. The .NET
Framework version 4 redistributable packages are available in two profiles:
.NET Framework 4 and .NET Framework 4 Client Profile. .NET Framework 4 Client
Profile is a subset of .NET Framework 4. The vulnerability addressed in this
update affects both .NET Framework 4 and .NET Framework 4 Client Profile. For
more information, see the MSDN article, Installing the .NET Framework.

Vulnerability Information

Collisions in HashTable May Cause DoS Vulnerability - CVE-2011-3414

A denial of service vulnerability exists in the way that ASP.NET Framework
handles specially crafted requests, causing a hash collision. An attacker who
successfully exploited this vulnerability could send a small number of
specially crafted requests to an ASP.NET server, causing performance to degrade
significantly enough to cause a denial of service condition.

Insecure Redirect in .NET Form Authentication Vulnerability - CVE-2011-3415

A spoofing vulnerability exists in the way that .NET Framework verifies return
URLs during the forms authentication process. An attacker who successfully
exploited this vulnerability would be able to redirect a user to a website of
the attacker's choosing without the user's knowledge. The attacker could then
perform a phishing attack to gain information from the user they did not intend
to disclose. This vulnerability would not allow an attacker to execute code or
to elevate their user rights directly, but it could be used to further
compromise user information intended to remain private.

ASP.Net Forms Authentication Bypass Vulnerability - CVE-2011-3416

An elevation of privilege vulnerability exists in the way that .NET Framework
authenticates users. In order to exploit this vulnerability, an unauthenticated
attacker would need to be able to register an account on the ASP.NET
application, and must know an existing account name for a targeted user. The
attacker could then craft a special web request using a previously registered
account name to gain access to that account. The attacker could then take any
action in the context of the targeted user, including executing arbitrary
commands on the site.

ASP.NET Forms Authentication Ticket Caching Vulnerability - CVE-2011-3417

An elevation of privilege vulnerability exists in the way that ASP.NET
Framework handles cached content when Forms Authentication is used with sliding
expiry. An attacker who successfully exploited this vulnerability could take
any action including executing arbitrary commands that the user could take on
the site in the context of the target user. In an email attack scenario, an
attacker could exploit the vulnerability by sending a specially crafted link to
the user and convincing the user to click the link. An attacker would have no
way to force users to visit the website. Instead, an attacker would have to
convince users to take action, typically by clicking a link in an email message
or in an Instant Messenger message.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTwKn4+4yVqjM2NGpAQKvhRAAo8Ut9MQTU/+EiYWhHl3cf387sXInv7QD
9WqXFHZrahUcyvLbBKzXPpQNBVxDFq1zdndLos7uj6qwK12LZ7q05izuqAnRSREo
fBYwFoUjFmKUQVSWg9vWsLaPFJt80DG6eCNxBmLu0VyzD3w+rUQmkx9ayLLgqCB4
abDBTauqORskKweIg5cxE2O2ibp21xfGjtZHRFF3ijujswmJGBpW20Pr+uGGnZea
noL8Rr6u6juLB+cC+OxYqrBSVoDKbxMk3dDTU55JRAiWJvhJo/QWYwTsEZ3BNcSO
zmcBpqMAA2c6FhHKbKWet3MLChh4xYBUJeYfZODIh8A+oJ+rO6eOwSzNE/63b1g/
z6CqsNXREoFeai9T/pdaRz5ZQs+BGmkqDLz9oTS+H2Ip4EJ6kp+ASl1CJedo+Wpe
VH+tXxOnaWMeIeMZQmeESpay7mcXNLZYxMT8n/wsjfwC/mjIRw1YPoYJbA2aDUsY
V4EvWoHdKanwPYlV0Nfx7DJILcqTGvL67E7ZS6e5VVH5qZVl+iSUrIi8kYTuEQ+n
i4MP34zef6J7/5hdQNfUt/NNGGLCB1v/F4IdybON9Ra+wSr9Xc3U416gxuOdfTGS
EKeL0quFtMnp4ZXeNhmeS6wB0pdE8pt+PQfGQ36IV3IVX2CwICP927/2JCd6oNI+
0cbjeE7l6Jw=
=C5ky
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=1980&it=15280