CVE-2010-3332 Information

Description

Microsoft .NET Framework 1.1 SP1 2.0 SP1 and SP2 3.5 3.5 SP1 3.5.1 and 4.0 as used for ASP.NET in Microsoft Internet Information Services (IIS) provides detailed error codes during decryption attempts which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data and possibly forge cookies or read application files via a padding oracle attack aka \ASP.NET Padding Oracle Vulnerability.\

Reference

http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx http://isc.sans.edu/diary.html?storyid=9568 http://pentonizer.com/general-programming/aspnet-poet-vulnerability-what-else-can-i-do/ http://secunia.com/advisories/41409 http://securitytracker.com/id?1024459 http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310 http://twitter.com/thaidn/statuses/24832350146 http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx http://www.dotnetnuke.com/Community/Blogs/tabid/825/EntryId/2799/Oracle-Padding-Vulnerability-in-ASP-NET.aspx http://www.ekoparty.org/juliano-rizzo-2010.php http://www.microsoft.com/technet/security/advisory/2416728.mspx http://www.mono-project.com/VulnerabilitiesASP.NET_Padding_Oracle http://www.securityfocus.com/bid/43316 http://www.theinquirer.net/inquirer/news/1732956/security-researchers-destroy-microsoft-aspnet-security http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html http://www.vupen.com/english/advisories/2010/2429 http://www.vupen.com/english/advisories/2010/2751 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-070 https://exchange.xforce.ibmcloud.com/vulnerabilities/61898 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A12365