Executive Summary

Summary
TitleVulnerabilities in .NET Framework Could Allow Elevation of Privilege
Informations
NameMS14-009First vendor Publication2014-02-11
VendorMicrosoftLast vendor Modification2014-09-24
Severity (Vendor) ImportantRevision1.3

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score9.3Attack RangeNetwork
Cvss Impact Score10Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Severity Rating: Important
Revision Note: V1.3 (September 24, 2014): Bulletin revised to correct a missing Server Core installation entry in the Affected Software table for Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (2898855). This is an informational change only. Customers running this affected software on Server Core installations who have already applied the 2898855 update do not need to take any action. Customers running this affected software on Server Core installations who have not already installed the update should do so to be protected from the vulnerabilities addressed in this bulletin.
Summary: This security update resolves two publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft .NET Framework. The most severe vulnerability could allow elevation of privilege if a user visits a specially crafted website or a website containing specially crafted web content. In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit the compromised website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker's website.

Original Source

Url : https://technet.microsoft.com/en-us/library/security/MS14-009

CWE : Common Weakness Enumeration

%idName
67 %CWE-20Improper Input Validation
33 %CWE-264Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:22472
 
Oval ID: oval:org.mitre.oval:def:22472
Title: Type Traversal Vulnerability (CVE-2014-0257) - MS14-009
Description: Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, and 4.5.1 does not properly determine whether it is safe to execute a method, which allows remote attackers to execute arbitrary code via (1) a crafted web site or (2) a crafted .NET Framework application that exposes a COM server endpoint, aka "Type Traversal Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2014-0257
Version: 5
Platform(s): Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0
Microsoft .NET Framework 4.5
Microsoft .NET Framework 4.5.1
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22283
 
Oval ID: oval:org.mitre.oval:def:22283
Title: POST Request DoS Vulnerability (CVE-2014-0253) - MS14-009
Description: Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, and 4.5.1 does not properly determine TCP connection states, which allows remote attackers to cause a denial of service (ASP.NET daemon hang) via crafted HTTP requests that trigger persistent resource consumption for a (1) stale or (2) closed connection, as exploited in the wild in February 2014, aka "POST Request DoS Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2014-0253
Version: 8
Platform(s): Microsoft Windows 7
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Microsoft Windows Vista
Microsoft Windows XP
Product(s): Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.0
Microsoft .NET Framework 4.5
Microsoft .NET Framework 4.5.1
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22158
 
Oval ID: oval:org.mitre.oval:def:22158
Title: VSAVB7RT ASLR Vulnerability (CVE-2014-0295) - MS14-009
Description: VsaVb7rt.dll in Microsoft .NET Framework 2.0 SP2 and 3.5.1 does not implement the ASLR protection mechanism, which makes it easier for remote attackers to execute arbitrary code via a crafted web site, as exploited in the wild in February 2014, aka "VSAVB7RT ASLR Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2014-0295
Version: 5
Platform(s): Microsoft Windows 7
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Product(s): Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.5.1
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application8

ExploitDB Exploits

idDescription
2014-06-27MS14-009 .NET Deployment Service IE Sandbox Escape

Information Assurance Vulnerability Management (IAVM)

DateDescription
2014-02-13IAVM : 2014-B-0013 - Multiple Vulnerabilities in Microsoft .NET Framework
Severity : Category I - VMSKEY : V0044036

Snort® IPS/IDS

DateDescription
2014-03-13Microsoft Windows ASP .NET denial of service attempt
RuleID : 29715 - Revision : 4 - Type : SERVER-IIS

Nessus® Vulnerability Scanner

DateDescription
2014-02-12Name : The version of the .NET Framework installed on the remote host is affected by...
File : smb_nt_ms14-009.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
11
12
13
DateInformations
2016-04-27 02:04:03
  • Multiple Updates
2014-09-24 21:29:35
  • Multiple Updates
2014-09-24 21:16:49
  • Multiple Updates
2014-07-17 00:24:56
  • Multiple Updates
2014-07-17 00:16:31
  • Multiple Updates
2014-06-28 17:24:59
  • Multiple Updates
2014-06-26 21:24:43
  • Multiple Updates
2014-03-13 21:21:01
  • Multiple Updates
2014-02-28 21:16:26
  • Multiple Updates
2014-02-17 11:47:56
  • Multiple Updates
2014-02-14 17:19:05
  • Multiple Updates
2014-02-12 17:26:49
  • Multiple Updates
2014-02-12 13:27:02
  • Multiple Updates
2014-02-11 21:17:03
  • First insertion