Title

The InfoPath APTCA Assembly Allowable List must be enforced. (Cat II impact)

Discussion

InfoPath 2013 forms' business logic can only call into Global Assembly Cache (GAC) assemblies listed in the APTCA Assembly Allowable List. If this configuration is changed, forms can call into any assembly in the GAC where the Allow Partially Trusted Callers Attribute (APTCA) is set. This configuration could allow malicious developers to access assemblies in the GAC not intended to be used by InfoPath forms.

Check Content

The policy value for Computer Configuration -> Administrative Templates -> Microsoft InfoPath 2013 (Machine) -> Security "InfoPath APTCA Assembly Allowable List Enforcement" must be set to "Enabled". Procedure: Use the Windows Registry Editor to navigate to the following key: HKLM\Software\Policies\Microsoft\office\15.0\InfoPath\security Criteria: If the value APTCA_AllowList is REG_DWORD = 1, this is not a finding.

Fix Text

Set the policy value for Computer Configuration -> Administrative Templates -> Microsoft InfoPath 2013 (Machine) -> Security "InfoPath APTCA Assembly Allowable List Enforcement" to "Enabled".

Additional Identifiers

Rule ID: SV-53452r1_rule

Vulnerability ID: V-26697

Group Title: DTOO309 - APTCA Assembly Allow List Enforcement

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.