==================================================================== CERT-Renater Note d'Information No. 2015/VULN178 _____________________________________________________________________ DATE : 09/09/2015 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems Microsoft .NET Framework version 2.0, 4, 4.5/4.5.1/4.5.2, 4.6, 3.5. ====================================================================== KB3089662 https://technet.microsoft.com/en-us/library/security/MS15-101 ______________________________________________________________________ MS15-101: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (3089662) Bulletin Number: MS15-101 Bulletin Title: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Severity: Important KB Article: 3089662 Version: 1.0 Published Date: September 8, 2015 Executive Summary This security update resolves vulnerabilities in Microsoft .NET Framework. The most severe of the vulnerabilities could allow elevation of privilege if a user runs a specially crafted .NET application. However, in all cases, an attacker would have no way to force users to run the application; an attacker would have to convince users to do so. This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, Microsoft .NET Framework 4.5, Microsoft .NET Framework 4.5.1, and Microsoft .NET Framework 4.5.2 on affected releases of Microsoft Windows. For more information, see the Affected Software section. Affected Software Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 4[1] Microsoft .NET Framework 4.5/4.5.1/4.5.2 Microsoft .NET Framework 4.6 Microsoft .NET Framework 3.5 Windows Vista Service Pack 2 Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems Service Pack 2 Windows 7 for 32-bit Systems Service Pack 1 Windows 7 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for Itanium-based Systems Service Pack 1Windows, s Windows 8 for 32-bit Systems Windows 8 for x64-based Systems Windows 8.1 for 32-bit Systems Windows 8.1 for x64-based Systems Windows Server 2012 Windows Server 2012 R2 Windows RT Windows RT 8.1 Windows 10 for 32-bit Systems[3] Windows 10 for x64-based Systems[3] Windows, s Server Core installation option Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012 (Server Core installation) Windows Server 2012 R2 (Server Core installation) [1].NET Framework 4 and .NET Framework 4 Client Profile affected. [2]This update is available via Windows Update only. [3]The Windows 10 update is cumulative. In addition to containing non-security updates, it also contains all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with this month's security release. See Microsoft Knowledge Base Article 3081455 for more information and download links. Vulnerability Information .NET Elevation of Privilege Vulnerability - CVE-2015-2504 An elevation of privilege vulnerability exists in the way that the .NET Framework validates the number of objects in memory before copying those objects into an array. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less Windows, s impacted than users who operate with administrative user rights. There are two attack scenarios possible for exploiting this vulnerability: a web browsing scenario and a Windows .NET application bypass of Code Access Security (CAS) restrictions. These scenarios are described as follows: Web browsing attack scenario An attacker could host a specially crafted website that contains a specially crafted XBAP (XAML browser application) that could exploit this vulnerability, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an instant messenger or email message that takes users to the attacker's website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems. Windows .NET applications attack scenario This vulnerability could also be used by Windows .NET Framework applications to bypass Code Access Security (CAS) restrictions. There are two types of systems at risk, which are described as follows: Web browsing scenario Successful exploitation of this vulnerability requires a user to be logged on and visiting websites using a web browser capable of instantiating XBAPs. Therefore, any systems where a web browser is used frequently, such as workstations or terminal servers, are at the most risk from this vulnerability. Servers could be at more risk if administrators allow users to browse and read email on servers. However, best practices strongly discourage allowing this. Windows .NET applications Workstations and servers that run untrusted Windows .NET Framework applications are also at risk from this vulnerability. The update addresses the vulnerability by correcting how the .NET Framework copies objects in memory. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2015-2504. When this bulletin was originally released, Microsoft was not aware of any attacks that attempt to exploit this vulnerability. MVC Denial of Service Vulnerability - CVE-2015-2526 A denial of service vulnerability exists that is caused when .NET fails to properly handle certain specially crafted requests. An attacker who successfully exploited this vulnerability could send a small number of specially crafted requests to an ASP.NET server, causing performance to degrade significantly enough to cause a denial of service condition. An attacker could use this vulnerability to create a denial of service attack and disrupt the availability of sites that use ASP.NET. Internet-facing systems with ASP.NET installed are primarily at risk from this vulnerability. Internal websites that use ASP.NET can also be at risk from this vulnerability. The update addresses the vulnerability by correcting how the .NET Framework handles specially crafted requests. Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers. ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================