Executive Summary
Summary | |
---|---|
Title | Insecure ASP.NET Site Configuration Could Allow Elevation of Privilege |
Informations | |||
---|---|---|---|
Name | KB2905247 | First vendor Publication | 2013-12-10 |
Vendor | Microsoft | Last vendor Modification | 1970-01-01 |
Severity (Vendor) | N/A | Revision | 1.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | Not Defined | Attack Range | Not Defined |
Cvss Impact Score | Not Defined | Attack Complexity | Not Defined |
Cvss Expoit Score | Not Defined | Authentication | Not Defined |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft is announcing the availability of an update for Microsoft ASP.NET to address a vulnerability in ASP.NET view state that exists when Machine Authentication Code (MAC) validation is disabled through configuration settings. The vulnerability could allow elevation of privilege and affects all supported versions of Microsoft .NET Framework except .NET Framework 3.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1. Any ASP.NET site for which view state MAC has become disabled through configuration settings is vulnerable to attack. An attacker who successfully exploited the vulnerability could use specially crafted HTTP content to inject code to be run in the context of the service account on the ASP.NET server. Microsoft is aware of general information available publicly that could be used to exploit this vulnerability, but is not aware of any active attacks. Mitigating Factors: Recommendation. Microsoft recommends that customers apply the suggested action to ensure that ASP.NET view state MAC remains enabled on ASP.NET sites. Please see the Suggested Actions section of this advisory for more information. For more information about this vulnerability, see the following references: This advisory discusses the following software. [1].NET Framework 4 and .NET Framework 4 Client Profile affected. The .NET Framework version 4 redistributable packages are available in two profiles: .NET Framework 4 and .NET Framework 4 Client Profile. .NET Framework 4 Client Profile is a subset of .NET Framework 4. The vulnerability addressed in this update affects both .NET Framework 4 and .NET Framework 4 Client Profile. For more information, see the MSDN article, Installing the .NET Framework. What is the scope of the advisory? What is view state? Will disabling view state mitigate the vulnerability? What is view state MAC Validation? What might an attacker use the vulnerability to do? How could an attacker exploit the vulnerability? What does the update do? What additional actions must customers take following the installation of the update? How do I determine which version of the Microsoft .NET Framework is installed? What is the difference between .NET Framework 4 and .NET Framework 4 Client Profile? I have .NET Framework 3.0 Service Pack 2 installed; this version is not listed among the affected software in this bulletin. Do I need to install an update? I have .NET Framework 3.5 Service Pack 1 installed. Do I need to install any updates? Are updates available for Preview editions of Microsoft Windows and Release Candidate editions of Microsoft .NET Framework? This update is available from the Microsoft Download Center. For information on how to manually apply the update, see Microsoft Knowledge Base Article 2905247. Microsoft recommends following the guidance available in Microsoft Knowledge Base Article 2915218. We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center. Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed. Affected Software For information about the specific security update for your affected software, click the appropriate link: Reference Table The following table contains the security update information for this software. Note The update for supported versions of Windows XP Professional x64 Edition also applies to supported versions of Windows Server 2003 x64 Edition. Reference Table The following table contains the security update information for this software. Note The update for supported versions of Windows Server 2003 x64 Edition also applies to supported versions of Windows XP Professional x64 Edition (except for the update for Microsoft .NET Framework 1.1, which does not apply to Windows XP). Reference Table The following table contains the security update information for this software. Reference Table The following table contains the security update information for this software. Reference Table The following table contains the security update information for this software. |