Microsoft Windows ASP.NET Padding Oracle Vulnerability ( 29 September 2010 )
Last Update Date:
28 Jan 2011
Release Date:
29 Sep 2010
4670
Views
RISK: Medium Risk
An information disclosure vulnerability exists in ASP.NET due to improper error handling during encryption padding verification. An attacker who successfully exploited this vulnerability could read data, such as the view state, which was encrypted by the server. This vulnerability can also be used for data tampering, which, if successfully exploited, could be used to decrypt and tamper with the data encrypted by the server. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise the affected system. In Microsoft .NET Framework 3.5 Service Pack 1 and above, this vulnerability can also be used by an attacker to retrieve the contents of any file within the ASP.NET application, including web.config.
Impact
- Information Disclosure
System / Technologies affected
- Windows XP
- Windows Server 2003
- Windows Vista
- Windows Server 2008
- Windows 7
- Windows Server 2008 R2
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
Download locations for this patch
- Windows XP Service Pack 3
- Microsoft .NET Framework 1.1 Service Pack 1
- Microsoft .NET Framework 2.0 Service Pack 2
- Microsoft .NET Framework 3.5
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0 - Windows XP Professional x64 Edition Service Pack 2
- Microsoft .NET Framework 1.1 Service Pack 1
- Microsoft .NET Framework 2.0 Service Pack 2
- Microsoft .NET Framework 3.5
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0 - Windows Server 2003 Service Pack 2
- Microsoft .NET Framework 1.1 Service Pack 1
- Microsoft .NET Framework 2.0 Service Pack 2
- Microsoft .NET Framework 3.5
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0 - Windows Server 2003 x64 Edition Service Pack 2
- Microsoft .NET Framework 1.1 Service Pack 1 - Microsoft .NET Framework 2.0 Service Pack 2 - Windows Server 2003 with SP2 for Itanium-based Systems
- Microsoft .NET Framework 1.1 Service Pack 1
- Microsoft .NET Framework 2.0 Service Pack 2
- Microsoft .NET Framework 3.5
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0 - Windows Vista Service Pack 1
- Microsoft .NET Framework 1.1 Service Pack 1
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0
- Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5
- Microsoft .NET Framework 2.0 Service Pack 2 - Windows Vista Service Pack 2
- Microsoft .NET Framework 1.1 Service Pack 1
- Microsoft .NET Framework 2.0 Service Pack 2
- Microsoft .NET Framework 3.5
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0 - Windows Vista x64 Edition Service Pack 1
- Microsoft .NET Framework 1.1 Service Pack 1
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0
- Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5
- Microsoft .NET Framework 2.0 Service Pack 2 - Windows Vista x64 Edition Service Pack 2
- Microsoft .NET Framework 1.1 Service Pack 1
- Microsoft .NET Framework 2.0 Service Pack 2
- Microsoft .NET Framework 3.5
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0 - Windows Server 2008 for 32-bit Systems
- Microsoft .NET Framework 1.1 Service Pack 1
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0
- Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5
- Microsoft .NET Framework 2.0 Service Pack 2 - Windows Server 2008 for 32-bit Systems Service Pack 2
- Microsoft .NET Framework 1.1 Service Pack 1
- Microsoft .NET Framework 2.0 Service Pack 2
- Microsoft .NET Framework 3.5
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0 - Windows Server 2008 for x64-based Systems
- Microsoft .NET Framework 1.1 Service Pack 1
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0
- Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5
- Microsoft .NET Framework 2.0 Service Pack 2 - Windows Server 2008 for x64-based Systems Service Pack 2
- Microsoft .NET Framework 1.1 Service Pack 1
- Microsoft .NET Framework 2.0 Service Pack 2
- Microsoft .NET Framework 3.5
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0 - Windows Server 2008 for Itanium-based Systems
- Microsoft .NET Framework 1.1 Service Pack 1
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0
- Microsoft .NET Framework 2.0 Service Pack 1 and Microsoft .NET Framework 3.5
- Microsoft .NET Framework 2.0 Service Pack 2 - Windows Server 2008 for Itanium-based Systems Service Pack 2
- Microsoft .NET Framework 1.1 Service Pack 1
- Microsoft .NET Framework 2.0 Service Pack 2
- Microsoft .NET Framework 3.5
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0 - Windows 7 for 32-bit Systems
- Microsoft .NET Framework 3.5.1
- Microsoft .NET Framework 4.0 - Windows 7 for x64-based Systems
- Microsoft .NET Framework 3.5.1
- Microsoft .NET Framework 4.0 - Windows Server 2008 R2 for x64-based Systems
- Microsoft .NET Framework 3.5.1
- Microsoft .NET Framework 4.0 - Windows Server 2008 R2 for Itanium-based Systems
- Microsoft .NET Framework 3.5.1
- Microsoft .NET Framework 4.0
- Microsoft .NET Framework 3.5
- Microsoft .NET Framework 3.5 Service Pack 1
- Microsoft .NET Framework 4.0
Vulnerability Identifier
Source
Related Link
Share with