Main Vulnerability Database Vulnerabilities #VU294

Credentials disclosure in ActiveSyncProvider in Windows - CVE-2016-3312

Published: August 10, 2016 / Updated: February 3, 2017

Vulnerability identifier: #VU294

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2016-3312

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Microsoft

Affected software:
Windows

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to an error in Universal Outlook, which fails to establish secure connection to the server. A remote attacker can launch a man-in-the-middle (MiTM) or spoofing attack and obtain username and password of the target user.

Successful exploitation of this vulnerability my allow an attacker to obtain user credentials and use them in further attacks.

How to mitigate CVE-2016-3312

Sources

https://technet.microsoft.com/en-us/library/security/ms16-103.aspx

Credentials disclosure in ActiveSyncProvider in Windows - CVE-2016-3312

Detailed vulnerability description

How to mitigate CVE-2016-3312

Sources

Please verify you're human