====================================================================

                                CERT-Renater

                    Note d'Information No. 2016/VULN413
_____________________________________________________________________

DATE                : 14/12/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Windows versions Vista, Server 2008, 7, 8.1, 10,
                        RT 8.1,Server 2012, Server 2016
                      running .NET Framework.

=====================================================================
KB3205640
https://technet.microsoft.com/en-us/library/security/MS16-155
____________________________________________________________________

Microsoft Security Bulletin MS16-155: Security Update for .NET Framework 
(3205640)

Published Date:	 	December 14, 2016

Version: 		1.0


Executive Summary

This security update resolves a vulnerability in Microsoft .NET 4.6.2
Frameworks Data Provider for SQL Server. A security vulnerability
exists in Microsoft .NET Framework 4.6.2 that could allow an attacker
to access information that is defended by the Always Encrypted feature.

This security update is rated Important for Microsoft .NET Framework
4.6.2.


Affected Software

Windows Vista
Windows Server 2008
Windows 7
Windows Server 2008 R2
Windows 8.1
Windows Server 2012 and Windows Server 2012 R2
Windows RT 8.1
Windows 10
Windows Server 2016


Vulnerability Information

.NET Framework Information Disclosure Vulnerabiltiy CVE-2016-7270

An information disclosure vulnerability exists in Microsoft .NET 4.6.2
Frameworks Data Provider for SQL Server that could allow an attacker to
access information that should be defended by the Always Encrypted
feature. The vulnerability is caused when .NET Framework improperly
uses a developer-supplied key. When this key is misused, it is also
possible for access to data to be temporarily lost.

To exploit the vulnerability, an attacker who can access the
incorrectly encrypted data could attempt to decrypt the data using
an easily guessable key.


Vulnerability title   CVE number   Publicly disclosed   Exploited

.NET Framework Information
Disclosure            CVE-2016-7270     Yes             No
Vulnerabiltiy

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================