Описание
.NET Framework Information Disclosure Vulnerability
An information disclosure vulnerability exists in Microsoft .NET 4.6.2 Framework’s Data Provider for SQL Server that could allow an attacker to access information that should be defended by the Always Encrypted feature. The vulnerability is caused when .NET Framework improperly uses a developer-supplied key. When this key is misused, it is also possible for access to data to be temporarily lost.
To exploit the vulnerability, an attacker who can access the incorrectly encrypted data could attempt to decrypt the data using an easily guessable key.
The security update addresses the vulnerability by correcting the way .NET Framework handles the developer-supplied key, and thus properly defends the data.
Обходное решение
Column key encryption (CEK) can be turned off by setting the SqlConnection.ColumnEncryptionKeyCacheTtl property to TimeSpan.Zero in the .Net framework 4.6.2 driver. Please see TimeSpan.Zero Field for more information.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft .NET Framework 4.6.2 on Windows Server 2012 R2 | ||
| Microsoft .NET Framework 4.6.2 on Windows Server 2012 R2 (Server Core installation) | ||
| Microsoft .NET Framework 4.6.2 on Windows Server 2012 | ||
| Microsoft .NET Framework 4.6.2 on Windows Server 2012 (Server Core installation) | ||
| Microsoft .NET Framework 4.6.2 on Windows 8.1 for x64-based systems | ||
| Microsoft .NET Framework 4.6.2 on Windows 7 for 32-bit Systems Service Pack 1 | ||
| Microsoft .NET Framework 4.6.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 | ||
| Microsoft .NET Framework 4.6.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | ||
| Microsoft .NET Framework 4.6.2 on Windows 7 for x64-based Systems Service Pack 1 | ||
| Microsoft .NET Framework 4.6.2 on Windows 8.1 for 32-bit systems |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
EPSS
Связанные уязвимости
The Data Provider for SQL Server in Microsoft .NET Framework 4.6.2 mishandles a developer-supplied key, which allows remote attackers to bypass the Always Encrypted protection mechanism and obtain sensitive cleartext information by leveraging key guessability, aka ".NET Information Disclosure Vulnerability."
The Data Provider for SQL Server in Microsoft .NET Framework 4.6.2 mishandles a developer-supplied key, which allows remote attackers to bypass the Always Encrypted protection mechanism and obtain sensitive cleartext information by leveraging key guessability, aka ".NET Information Disclosure Vulnerability."
EPSS