Oval Definition:	oval:org.mitre.oval:def:12365
Revision Date: 2014-08-18 Version: 28 Title: ASP.NET Padding Oracle Vulnerability Description: Microsoft .NET Framework 1.1 SP1, 2.0 SP1 and SP2, 3.5, 3.5 SP1, 3.5.1, and 4.0, as used for ASP.NET in Microsoft Internet Information Services (IIS), provides detailed error codes during decryption attempts, which allows remote attackers to decrypt and modify encrypted View State (aka __VIEWSTATE) form data, and possibly forge cookies or read application files, via a padding oracle attack, aka "ASP.NET Padding Oracle Vulnerability." Family: windows Class: vulnerability Status: ACCEPTED Reference(s): CVE-2010-3332 Platform(s): Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows XP Product(s): Microsoft .NET Framework Definition Synopsis .NET Framework 1.1 SP1 KB2416447 OS section Microsoft Windows XP (32-bit) is installed OR Microsoft Windows XP x64 is installed OR Microsoft Windows Server 2003 (x64) is installed OR Microsoft Windows Server 2003 (ia64) Gold is installed OR Microsoft Windows Vista (32-bit) is installed OR Microsoft Windows Vista x64 Edition is installed OR Microsoft Windows Server 2008 (32-bit) is installed OR Microsoft Windows Server 2008 (64-bit) is installed OR Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft .NET Framework 1.1 Service Pack 1 is Installed AND the version of Mscorlib.dll is less than 1.1.4322.2470 OR .NET Framework 2.0 SP2 and .NET Framework 3.5 SP1. Must include 2.0 SP2 if 3.5 SP1 is installed KB2418241 XP x86/x64, Server 2003 x86/x64/ia64 Microsoft Windows XP (32-bit) is installed OR Microsoft Windows XP x64 is installed OR Microsoft Windows Server 2003 (32-bit) is installed OR Microsoft Windows Server 2003 (x64) is installed OR Microsoft Windows Server 2003 (ia64) Gold is installed AND Microsoft .NET Framework 2.0 Service Pack 2 is installed AND GDR or LDR Service branch the version of System.Web.dll is less than 2.0.50727.3618 OR LDR the version of System.Web.dll is greater than or equal to 2.0.50727.5000 AND the version of System.Web.dll is less than 2.0.50727.5053 OR .NET Framework 2.0 SP1 or .NET Framework 3.5 KB2416468 XP x86/x64, Server 2003 x86/x64/ia64 Microsoft Windows XP (32-bit) is installed OR Microsoft Windows XP x64 is installed OR Microsoft Windows Server 2003 (32-bit) is installed OR Microsoft Windows Server 2003 (x64) is installed OR Microsoft Windows Server 2003 (ia64) Gold is installed AND .NET Framework 2.0/3.5 Microsoft .NET Framework 2.0 Service Pack 1 is installed OR Microsoft .NET Framework 3.5 Original Release is installed AND the version of System.Web.dll is less than 2.0.50727.1887 OR .NET Framework 3.5 KB2418240 OS section Microsoft Windows XP (32-bit) is installed OR Microsoft Windows XP x64 is installed OR Microsoft Windows Server 2003 (32-bit) is installed OR Microsoft Windows Server 2003 (x64) is installed OR Microsoft Windows Server 2003 (ia64) Gold is installed OR Microsoft Windows Vista (32-bit) is installed OR Microsoft Windows Vista x64 Edition is installed OR Microsoft Windows Server 2008 (32-bit) is installed OR Microsoft Windows Server 2008 (64-bit) is installed OR Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft .NET Framework 3.5 Original Release is installed AND the version of System.Web.Extensions.dll is less than 3.5.21022.239 OR .NET Framework 3.5 SP1 KB2416473 OS section Microsoft Windows XP (32-bit) is installed OR Microsoft Windows XP x64 is installed OR Microsoft Windows Server 2003 (32-bit) is installed OR Microsoft Windows Server 2003 (x64) is installed OR Microsoft Windows Server 2003 (ia64) Gold is installed OR Microsoft Windows Vista (32-bit) is installed OR Microsoft Windows Vista x64 Edition is installed OR Microsoft Windows Server 2008 (32-bit) is installed OR Microsoft Windows Server 2008 (64-bit) is installed OR Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft .NET Framework 3.5 SP1 is installed AND GDR or LDR Service branch the version of System.Web.Extensions.dll is less than 3.5.30729.3644 OR LDR the version of System.Web.Extensions.dll is greater than or equal to 3.5.30729.5000 AND the version of System.Web.Extensions.dll is less than 3.5.30729.5053 OR .NET Framework 4.0 (Full) KB2416472 OS section Microsoft Windows XP (32-bit) is installed OR Microsoft Windows XP x64 is installed OR Microsoft Windows Server 2003 (32-bit) is installed OR Microsoft Windows Server 2003 (x64) is installed OR Microsoft Windows Server 2003 (ia64) Gold is installed OR Microsoft Windows Vista (32-bit) is installed OR Microsoft Windows Vista x64 Edition is installed OR Microsoft Windows Server 2008 (32-bit) is installed OR Microsoft Windows Server 2008 (64-bit) is installed OR Microsoft Windows Server 2008 (ia-64) is installed OR Microsoft Windows 7 (32-bit) is installed OR Microsoft Windows 7 x64 Edition is installed OR Microsoft Windows Server 2008 R2 x64 Edition is installed OR Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed AND Microsoft .NET Framework 4.0 Full is installed AND GDR or LDR Service branch the version of System.Web.dll is less than 4.0.30319.206 OR LDR the version of System.Web.dll is greater than or equal to 4.0.30319.300 AND the version of System.Web.dll is less than 4.0.30319.363 OR .NET Framework 2.0 SP1 and .NET Framework 3.5 KB2416469 Vista x86/x64, Server 2008 x86/x64/ia64 Microsoft Windows Vista (32-bit) is installed OR Microsoft Windows Vista x64 Edition is installed OR Microsoft Windows Server 2008 (32-bit) is installed OR Microsoft Windows Server 2008 (64-bit) is installed OR Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft .NET Framework 2.0 Service Pack 1 is installed AND the version of System.Web.dll is less than 2.0.50727.1887 OR .NET Framework 2.0 SP2 and .NET Framework 3.5 SP1 KB2416474 Vista x86/x64, Server 2008 x86/x64/ia64 Microsoft Windows Vista (32-bit) is installed OR Microsoft Windows Vista x64 Edition is installed OR Microsoft Windows Server 2008 (32-bit) is installed OR Microsoft Windows Server 2008 (64-bit) is installed OR Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft .NET Framework 2.0 Service Pack 2 is installed AND GDR or LDR Service branch the version of System.Web.dll is less than 2.0.50727.3618 OR LDR the version of System.Web.dll is greater than or equal to 2.0.50727.5000 AND the version of System.Web.dll is less than 2.0.50727.5053 OR .NET Framework 2.0 SP2, .NET Framework 3.5 and .NET Framework 3.5 SP1 KB2416470 Vista x86/x64, Server 2008 x86/x64/ia64 Microsoft Windows Vista (32-bit) is installed OR Microsoft Windows Vista x64 Edition is installed OR Microsoft Windows Server 2008 (32-bit) is installed OR Microsoft Windows Server 2008 (64-bit) is installed OR Microsoft Windows Server 2008 (ia-64) is installed AND Microsoft .NET Framework 2.0 Service Pack 2 is installed AND GDR or LDR Service branch the version of System.Web.dll is less than 2.0.50727.4209 OR LDR the version of System.Web.dll is greater than or equal to 2.0.50727.5000 AND the version of System.Web.dll is less than 2.0.50727.5053 OR .NET Framework 3.5.1 KB2416471 7 x86/x64, Server 2008 R2 x64/ia64 Microsoft Windows 7 (32-bit) is installed OR Microsoft Windows 7 x64 Edition is installed OR Microsoft Windows Server 2008 R2 x64 Edition is installed OR Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed AND Microsoft .NET Framework 3.5 SP1 is installed AND GDR or LDR Service branch the version of System.web.dll is less than 2.0.50727.4955 OR LDR the version of System.Web.dll is greater than or equal to 2.0.50727.5000 AND the version of System.Web.dll is less than 2.0.50727.5053
BACK