An error occurred:

Check: 2010-B-0046

windows 7 iavm: 2010-B-0046 (in version v1 r32)

Title

Microsoft .NET Framework Data Tampering Vulnerability (Cat II impact)

Discussion

Microsoft has reported a security vulnerability in Microsoft .NET Framework. The Microsoft .NET Framework is a component of the Microsoft Windows operating system that enables building and running software applications and Web services. To exploit this vulnerability, an attacker would send malicious XML content to an affected system. If successfully exploited, this vulnerability would allow an attacker to bypass certain cryptographic signatures and compromise the affected system. At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. XML Signature HMAC Truncation Authentication Bypass Vulnerability - (CVE-2009-0217): A data tampering vulnerability exists in the Microsoft .NET Framework that could allow an attacker to tamper with signed XML content without being detected. In custom applications, the security impact depends on the specific usage scenario. Scenarios in which signed XML messages are transmitted over a secure channel (such as SSL) are not affected by this vulnerability. An attacker who successfully exploited this vulnerability could bypass certain cryptographic signatures and as a result, tamper with signed XML content without the receiver detecting the changes. If the message is changed completely from its original meaning, this may also constitute spoofing. In situations where a developer has written an application that relies on HMAC signed XML content, the security impact depends on the specific usage scenario for that application.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS10-041 (981343). Vulnerable Applications/Systems: Microsoft Windows 2000 Microsoft Windows 2000 SP 4 Microsoft .NET Framework 1.1 SP 1 (KB979906) Microsoft .NET Framework 2.0 SP 2 (KB979909) Windows XP Windows XP SP 2 Microsoft .NET Framework 1.0 SP 3 (KB979904) (Windows XP Media Center Edition 2005 only) Windows XP SP 3 Microsoft .NET Framework 1.0 SP 3 (KB979904) (Windows XP Media Center Edition 2005 and Windows XP Tablet PC Edition 2005 only) Windows XP SP 2 and SP 3 Microsoft .NET Framework 1.1 SP 1 (KB979906) Microsoft .NET Framework 3.5 (KB982865) Microsoft .NET Framework 2.0 SP 2 and 3.5 SP 1 (KB979909) Windows XP Professional x64 Edition SP 2 Microsoft .NET Framework 1.1 SP 1 (KB979906) Microsoft .NET Framework 3.5 (KB982865) Microsoft .NET Framework 2.0 SP 2 and 3.5 SP 1 (KB979909) Windows Server 2003 Windows Server 2003 SP 2 Microsoft .NET Framework 1.1 SP 1 (KB979907) Microsoft .NET Framework 3.5 (KB982865) Microsoft .NET Framework 2.0 SP 2 and 3.5 SP 1 (KB979909) Windows Server 2003 x64 Edition SP 2 Microsoft .NET Framework 1.1 SP 1 (KB979906) Microsoft .NET Framework 3.5 (KB982865) Microsoft .NET Framework 2.0 SP 2 and 3.5 SP 1 (KB979909) Windows Server 2003 with SP2 for Itanium-based Systems Microsoft .NET Framework 1.1 SP 1 (KB979906) Microsoft .NET Framework 3.5 (KB982865) Microsoft .NET Framework 2.0 SP 2 and 3.5 SP 1 (KB979909) Windows Vista Windows Vista SP 1 and SP 2 Microsoft .NET Framework 1.1 SP 1 (KB979906) Windows Vista SP 1 Microsoft .NET Framework 2.0 SP 1 and 3.5 (KB979913) Microsoft .NET Framework 2.0 SP 2 and 3.5 SP 1 (KB979911) Windows Vista SP 2 Microsoft .NET Framework 2.0 SP 2 and 3.5 SP 1 (KB979910) Windows Vista x64 Edition SP 1 and SP 2 Microsoft .NET Framework 1.1 SP 1 (KB979906) Windows Vista x64 Edition SP 1 Microsoft .NET Framework 2.0 SP 1 and 3.5 (KB979913) Microsoft .NET Framework 2.0 SP 2 and 3.5 SP 1 (KB979911) Windows Vista x64 Edition SP 2 Microsoft .NET Framework 2.0 SP 2 and 3.5 SP 1 (KB979910) Windows Server 2008 Windows Server 2008 for 32-bit Systems and SP 2 Microsoft .NET Framework 1.1 SP 1** (KB979906) Windows Server 2008 for 32-bit Systems Microsoft .NET Framework 2.0 SP 1 and 3.5** (KB979913) Microsoft .NET Framework 2.0 SP 2 and 3.5 SP 1** (KB979911) Windows Server 2008 for 32-bit Systems SP 2 Microsoft .NET Framework 2.0 SP 2 and 3.5 SP 1** (KB979910) Windows Server 2008 for x64-based Systems and SP 2 Microsoft .NET Framework 1.1 SP 1** (KB979906) Windows Server 2008 for x64-based Systems Microsoft .NET Framework 2.0 SP 1 and 3.5** (KB979913) Microsoft .NET Framework 2.0 SP 2 and 3.5 SP 1** (KB979911) Windows Server 2008 for x64-based Systems SP 2 Microsoft .NET Framework 2.0 SP 2 and 3.5 SP 1** (KB979910) Windows Server 2008 for Itanium-based Systems and SP 2 Microsoft .NET Framework 1.1 SP 1 (KB979906) Windows Server 2008 for Itanium-based Systems Microsoft .NET Framework 2.0 SP 1 and 3.5 (KB979913) Microsoft .NET Framework 2.0 SP 2 and 3.5 SP 1 (KB979911) Windows Server 2008 for Itanium-based Systems SP 2 Microsoft .NET Framework 2.0 SP 2 and 3.5 SP 1 (KB979910) Windows 7 Windows 7 for 32-bit Systems Microsoft .NET Framework 3.5.1 (KB979916) Windows 7 for x64-based Systems Microsoft .NET Framework 3.5.1 (KB979916) Windows Server 2008 R2 Windows Server 2008 R2 for x64-based Systems Microsoft .NET Framework 3.5.1* (KB979916) Windows Server 2008 R2 for Itanium-based Systems Microsoft .NET Framework 3.5.1 (KB979916) *Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. **Server Core installation not affected. The vulnerabilities addressed by this update do not affect supported editions of Windows Server 2008 as indicated, when installed using the Server Core installation option. Determine the patch required from the Vulnerable Applications above and check that the following sample file is at the version indicated or later (979904) .NET Framework 1.0 Service Pack 3 for Windows XP Media Center Edition and for Windows XP Tablet PC Edition System.security.dll 1.0.3705.6074 (979906) .NET Framework 1.1 Service Pack 1 in Windows 2000, in Windows XP, in Windows Server 2003, in Windows Vista, and in Windows Server 2008 System.security.dll 1.1.4322.2463 (979907) .NET Framework 1.1 Service Pack 1 for x86-based versions of Windows Server 2003 and of Windows Server 2003 R2 System.security.dll 1.1.4322.2460 (979909) .NET Framework 3.5 Service Pack 1 and for the .NET Framework 2.0 Service Pack 2 for Windows 2000, for Windows Server 2003, and for Windows XP System.security.dll 2.0.50727.4434 LDR payload: System.security.dll 2.0.50727.3613 (LDR – limited distribution release - hotfixes; GDR – general distribution release – security updates) (979910) .NET Framework 3.5 Service Pack 1 for Windows Vista Service Pack 2 and for Windows Server 2008 Service Pack 2 System.security.dll 2.0.50727.4204 or 4434 (979911) .NET Framework 3.5 Service Pack 1 for Windows Vista Service Pack 1 and for Windows Server 2008 System.security.dll 2.0.50727.3613 or 4434 (979913) .NET Framework 3.5 for Windows Vista Service Pack 1 and for Windows Server 2008 System.security.dll 2.0.50727.1878 Windows 7 and 2008 R2 Fixed by SP1 (979916) .NET Framework 3.5 Service Pack 1 for Windows 7 and for Windows Server 2008 R2 System.security.dll 2.0.50727.4951 or 5007 (98265) .NET Framework 3.5 for Windows 2000, for Windows XP, and for Windows Server 2003 System.security.dll 2.0.50727.1879

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-24367

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
No CCIs are assigned to this check

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
No controls are assigned to this check