Microsoft released Security Advisory 24156728 which relates to a new public report of a vulnerability in ASP.NET. All versions of Microsoft .NET Framework are affected. Microsoft is currently not aware of any attacks using the vulnerability and is continuing to investigate. Mitigations and workarounds are included in the Security Advisory.
The impact of the vulnerability as well as additional information is provided by the Security, Research and Defense Blog:
"ASP.Net uses encryption to hide sensitive data and protect it from tampering by the client. However, a vulnerability in the ASP.Net encryption implementation can allow an attacker to decrypt and tamper with this data.
But what can the attacker do with this capability? Part of the answer depends on the ASP.Net application being attacked. For example, if the ASP.Net application stores sensitive information, such as passwords or database connection strings, in the ViewState object this data could be compromised. The ViewState object is encrypted and sent to the client in a hidden form variable, so it is a possible target of this attack.
If the ASP.Net application is using ASP.Net 3.5 SP1 or above, the attacker could use this encryption vulnerability to request the contents of an arbitrary file within the ASP.Net application. The public disclosure demonstrated using this technique to retrieve the contents of web.config. Any file in the ASP.Net application which the worker process has access to will be returned to the attacker."
- CVE Reference: CVE-2010-3332
- MSRC Blog: Security Advisory 2416728 Released
- Security Research and Defense: Understanding the ASP.NET Vulnerability
- TechNet: Security Advisory 24156728
Clubhouse Tags: Clubhouse, Microsoft, Windows, Security, Advisory, Vulnerabilities, Information,