CVE-2010-3332

MEDIUM

Description

Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability."

References

http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx

http://isc.sans.edu/diary.html?storyid=9568

http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/

http://secunia.com/advisories/41409

http://securitytracker.com/id?1024459

http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310

http://twitter.com/thaidn/statuses/24832350146

http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx

http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx

http://www.ekoparty.org/juliano-rizzo-2010.php

http://www.microsoft.com/technet/security/advisory/2416728.mspx

http://www.mono-project.com/Vulnerabilities#ASP.NET_Padding_Oracle

http://www.securityfocus.com/bid/43316

http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security

http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html

http://www.vupen.com/english/advisories/2010/2429

http://www.vupen.com/english/advisories/2010/2751

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070

https://exchange.xforce.ibmcloud.com/vulnerabilities/61898

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12365

Details

Source: MITRE

Published: 2010-09-22

Updated: 2018-10-12

Type: CWE-310

Risk Information

CVSS v2.0

Base Score: 5

Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM