Executive Summary

Summary
Title Vulnerability in .NET Framework Could Allow Information Disclosure (2567951)
Informations
Name MS11-069 First vendor Publication 2011-08-09
Vendor Microsoft Last vendor Modification 2011-10-26
Severity (Vendor) Moderate Revision 1.2

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Severity Rating: Moderate

Revision Note: V1.2 (October 26, 2011): Corrected Server Core installation applicability for .NET Framework 4 on Windows Server 2008 R2 for x64-based Systems.

Summary: This security update resolves a privately reported vulnerability in Microsoft .NET Framework. The vulnerability could allow information disclosure if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs). In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker?s Web site. This vulnerability could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions.

Original Source

Url : http://technet.microsoft.com/en-us/security/bulletin/ms11-069

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:12901
 
Oval ID: oval:org.mitre.oval:def:12901
Title: Socket Restriction Bypass Vulnerability
Description: Microsoft .NET Framework 2.0 SP2, 3.5.1, and 4 does not properly validate the System.Net.Sockets trust level, which allows remote attackers to obtain sensitive information or trigger arbitrary outbound network traffic via (1) a crafted XAML browser application (aka XBAP), (2) a crafted ASP.NET application, or (3) a crafted .NET Framework application, aka "Socket Restriction Bypass Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2011-1978
 Version: 5
Platform(s): Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
 Product(s): Microsoft .NET Framework
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 3

OpenVAS Exploits

Date Description
2011-08-11 Name : Microsoft .NET Framework Information Disclosure Vulnerability (2567951)
File : nvt/secpod_ms11-069.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
74404 Microsoft .NET Framework System.Net.Sockets Code Access Security Bypass Infor...

Nessus® Vulnerability Scanner

Date Description
2011-08-09 Name : The Microsoft .NET Framework install on the remote host is affected by an imp...
File : smb_nt_ms11-069.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-02-17 11:47:05
  • Multiple Updates
2013-05-11 00:49:52
  • Multiple Updates