Описание
TLS/SSL Information Disclosure Vulnerability
An information disclosure vulnerability exists in the TLS/SSL protocol, implemented in the encryption component of Microsoft .NET Framework. An attacker who successfully exploited this vulnerability could decrypt encrypted SSL/TLS traffic.
To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle (MiTM) attack between the targeted client and a legitimate server. The update addresses the vulnerability by modifying the way that the .NET encryption component sends and receives encrypted network packets.
Important: Microsoft recommends that customers download and test the applicable update in controlled/managed environments before deploying it in their production environments.
In case of application compatibility issues, the recommended approach is to ensure that the server and client endpoints are correctly implementing the TLS RFC, and that they can interpret two split records containing 1, n-1 bytes respectively after this update. For more information and developer guidance, see Microsoft Knowledge Base Article 3155464.
Меры по смягчению последствий
The following mitigating factors may be helpful in your situation: Customers who have enabled TLS1.2 are not affected. For more information and developer guidance, see Microsoft Knowledge Base Article 3155464.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft .NET Framework 4.6 on Windows Vista Service Pack 2 | ||
| Microsoft .NET Framework 4.5.2 on Windows Vista x64 Edition Service Pack 2 | ||
| Microsoft .NET Framework 4.6 on Windows Vista x64 Edition Service Pack 2 | ||
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 for 32-bit Systems Service Pack 2 | ||
| Microsoft .NET Framework 4.6 on Windows Server 2008 for 32-bit Systems Service Pack 2 | ||
| Microsoft .NET Framework 4.5.2 on Windows Server 2008 for x64-based Systems Service Pack 2 | ||
| Microsoft .NET Framework 4.6 on Windows Server 2008 for x64-based Systems Service Pack 2 | ||
| Microsoft .NET Framework 4.5.2 on Windows 7 for 32-bit Systems Service Pack 1 | ||
| Microsoft .NET Framework 4.6/4.6.1 on Windows 7 for 32-bit Systems Service Pack 1 | ||
| Microsoft .NET Framework 4.5.2 on Windows 7 for x64-based Systems Service Pack 1 |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
EPSS
Связанные уязвимости
Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 allows man-in-the-middle attackers to obtain sensitive cleartext information via vectors involving injection of cleartext data into the client-server data stream, aka "TLS/SSL Information Disclosure Vulnerability."
Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 allows man-in-the-middle attackers to obtain sensitive cleartext information via vectors involving injection of cleartext data into the client-server data stream, aka "TLS/SSL Information Disclosure Vulnerability."
Уязвимость программной платформы Microsoft .NET Framework, позволяющая нарушителю получить доступ к защищаемой информации
EPSS