Microsoft Security Bulletin MS15-041 - Important

Published: April 14, 2015 | Updated: May 12, 2015

Version: 2.0

This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could allow information disclosure if an attacker sends a specially crafted web request to an affected server that has custom error messages disabled. An attacker who successfully exploited the vulnerability would be able to view parts of a web configuration file, which could expose sensitive information.

This security update is rated Important for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, Microsoft .NET Framework 4.5, Microsoft .NET Framework 4.5.1, and Microsoft .NET Framework 4.5.2 on affected releases of Microsoft Windows. For more information, see the Affected Software section.

The security update addresses the vulnerability by removing file content details from the error messages that were facilitating the information disclosure. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.

For more information about this update, see Microsoft Knowledge Base Article 3048010.

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

^[1].NET Framework 4 and .NET Framework 4 Client Profile affected.

^[2]This update is available via Windows Update only.

How do I determine which version of Microsoft .NET Framework is installed?
You can install and run multiple versions of .NET Framework on a system, and you can install the versions in any order. For more information, see Microsoft Knowledge Base Article 318785.

What is the difference between .NET Framework 4 and .NET Framework 4 Client Profile?
The .NET Framework version 4 redistributable packages are available in two profiles: .NET Framework 4 and .NET Framework 4 Client Profile. The .NET Framework 4 Client Profile is a subset of the .NET Framework 4 profile that is optimized for client applications. It provides functionality for most client applications, including Windows Presentation Foundation (WPF), Windows Forms, Windows Communication Foundation (WCF), and ClickOnce features. This enables faster deployment and a smaller install package for applications that target the .NET Framework 4 Client Profile. For more information, see the MSDN article, .NET Framework Client Profile. 

There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Affected Software table for the software?
Yes. Customers should apply all updates offered for the software installed on their systems.

Do I need to install these security updates in a particular sequence?
No. Multiple updates for a given system can be applied in any sequence.

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the April bulletin summary.

^[1].NET Framework 4 and .NET Framework 4 Client Profile affected.

An information disclosure vulnerability exists in ASP.NET that is caused when ASP.NET improperly handles certain requests on systems that have custom error messages disabled. An attacker who successfully exploited the vulnerability would be able to view parts of a web configuration file, which could expose sensitive information.

To exploit this vulnerability, an attacker could a send a specially crafted web request to an affected server with the intention of eliciting an error message that could disclose information pertaining to the source line that originated the exception. Ultimately, this could disclose information that was not intended to be accessible. The security update addresses the vulnerability by removing file content details from the error messages that were facilitating the information disclosure.

By default, ASP.NET applications are not exposed to this vulnerability because they are configured to not display detailed error messages to remote users. Sometimes developers turn on detailed error messages to gather information and then fail to turn them off, which would then expose the application to this vulnerability.

The default setting in web.config is as follows:

    <customerrors mode="remoteOnly">

In a production environment, best practice would see this entry changed to the following:

    </customerrors><customerrors mode="On" defaultredirect="ErrorPage.htm"> 

As a general rule, in production environments developers should never use the following:

    </customerrors><customerrors mode="off">

Note that error messages are customizable based on the error code. For more information, see customErrors Element (ASP.NET Settings Schema).

As an added protection against accidental disabling of custom errors, machine administrations can turn on retail mode. See the related workaround in this bulletin for more information.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

The following mitigating factors may be helpful in your situation:

• Only IIS servers that serve verbose error messages are affected; production servers are unlikely to be affected.

The following workarounds may be helpful in your situation:

• Configure .NET in retail mode on all web servers

  In the machine.config files of all web servers, add the setting "<deployment retail="true" />" to the "system.web" section of the "configuration" section.

  On 32-bit systems, machine.config is found at %windir%\Microsoft.NET\Framework\[version]\config\machine.config.  

  On 64-bit systems, machine.config is found at %windir%\Microsoft.NET\Framework64\[version]\config\machine.config.

  For more information on this setting, see deployment Element (ASP.NET Settings Schema).

  Impact of workaround. All ASP.NET detailed error messages from all websites on each server will be suppressed.

  How to undo the workaround.

  To undo the workaround, remove the setting that was added by way of this procedure.

   

• Enable custom errors for all websites

  In the web.config files for all websites, ensure that the "customErrors" setting (in the "system.web" section of the "configuration" section") is not set to “off”.  Safe values are "on", "remoteonly", or no setting at all.

  For more information on the customErrors setting, see customErrors Element (ASP.NET Settings Schema).

  Impact of workaround. All ASP.NET detailed error messages from all websites will be suppressed.

  How to undo the workaround.

  To undo the workaround, revert the settings that were established by way of this procedure.

For Security Update Deployment information see the Microsoft Knowledge Base article referenced in the Executive Summary.

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.  

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

• V1.0 (April 14, 2015): Bulletin published.
• V2.0 (May 12, 2015): Bulletin re-released to address issues with the 3037580 update for Microsoft .NET Framework 4.5/4.5.1/4.5.2 on affected editions of Microsoft Windows. Customers running these versions of .NET Framework are encouraged to install the new version of the 3037580 update to be protected from the vulnerability discussed in this bulletin. See Microsoft Knowledge Base Article 3037580 for more information.

Page generated 2015-05-06 13:24Z-07:00.