==================================================================== CERT-Renater Note d'Information No. 2016/VULN200 _____________________________________________________________________ DATE : 11/05/2016 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows version Vista, Server 2008, 7, 8.1, RT 8.1, 10, Server 2012 running Microsoft .NET Framework. ====================================================================== KB3156757 https://technet.microsoft.com/en-us/library/security/MS16-065 ____________________________________________________________________ Microsoft Security Bulletin MS16-065 - Important Security Update for .NET Framework (3156757) Published: May 10, 2016 Version: 1.0 Executive Summary This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could cause information disclosure if an attacker injects unencrypted data into the target secure channel and then performs a man-in-the-middle (MiTM) attack between the targeted client and a legitimate server. This security update is rated Important for Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, and Microsoft .NET Framework 4.6.1 on affected releases of Microsoft Windows. Affected Software Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2 Windows 8.1 Windows Server 2012 and Windows Server 2012 R2 Windows RT 8.1 Windows 10 Vulnerability Information TLS/SSL Information Disclosure Vulnerability - CVE-2016-0149 An information disclosure vulnerability exists in the TLS/SSL protocol, implemented in the encryption component of Microsoft .NET Framework. An attacker who successfully exploited this vulnerability could decrypt encrypted SSL/TLS traffic. To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in- the-middle (MiTM) attack between the targeted client and a legitimate server. The update addresses the vulnerability by modifying the way that the .NET encryption component sends and receives encrypted network packets. Important Microsoft recommends that customers download and test the applicable update in controlled/managed environments before deploying it in their production environments. In case of application compatibility issues, the recommended approach is to ensure that the server and client endpoints are correctly implementing the TLS RFC, and that they can interpret two split records containing 1, n-1 bytes respectively after this update. For more information and developer guidance, see Microsoft Knowledge Base Article 3155464. The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list: Vulnerability title CVE number Publicly disclosed Exploited TLS/SSL Information Disclosure Vulnerability CVE-2016-0149 Yes No ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================