#VU123 Information disclosure in .NET Framework in Microsoft .NET Framework - CVE-2016-3255 

CSH
CYBERSECURITY HELP
Sign In REGISTER
 
Main Vulnerability Database Vulnerabilities #VU123

#VU123 Information disclosure in .NET Framework in Microsoft .NET Framework - CVE-2016-3255

Published: July 13, 2016 / Updated: January 20, 2017


Vulnerability identifier: #VU123
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2016-3255
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vulnerable software:
Microsoft .NET Framework
Software vendor:
Microsoft

Description

The vulnerability allows a remote attacker to read arbitrary files on vulnerable system.

The vulnerability exists due to an error when parsing XML files. A remote attacker, who can supply specially crafted XML file, containing a reference to an external entity, can read arbitrary files on vulnerable system via an XML external entity declaration.

Successful exploitation of this vulnerability may allow a remote attacker to read contents of arbitrary files on vulnerable system.


Remediation

To resolve this vulnerability vendor recommends installing the following updates:

Windows Vista Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6

Windows Vista x64 Edition Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6

Windows Server 2008 for 32-bit Systems Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6

Windows Server 2008 for x64-based Systems Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6

Windows Server 2008 for Itanium-based Systems Service Pack 2

Microsoft .NET Framework 2.0 Service Pack 2

Windows 7 for 32-bit Systems Service Pack 1

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6/4.6.1

Windows 7 for x64-based Systems Service Pack 1

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6/4.6.1

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6/4.6.1

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Microsoft .NET Framework 3.5.1

Windows 8.1 for 32-bit Systems

Microsoft .NET Framework 3.5
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6/4.6.1

Windows 8.1 for x64-based Systems

Microsoft .NET Framework 3.5
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6/4.6.1

Windows Server 2012

Microsoft .NET Framework 3.5
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6/4.6.1

Windows Server 2012 R2

Microsoft .NET Framework 3.5
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6/4.6.1

Windows RT 8.1

Use Windows Update to obtain patch.

Windows 10

Microsoft .NET Framework 3.5/4.6

Windows 10 Version 1511

Microsoft .NET Framework 3.5/4.6.1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6/4.6.1

Windows Server 2012 (Server Core installation)

Microsoft .NET Framework 3.5
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6/4.6.1

Windows Server 2012 R2 (Server Core installation)

Microsoft .NET Framework 3.5
Microsoft .NET Framework 4.5.2
Microsoft .NET Framework 4.6/4.6.1

 


External links