Vulnerability Name:

CVE-2015-1716 (CCN-102968)

Assigned:2015-05-12
Published:2015-05-12
Updated:2019-05-15
Summary:Schannel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict Diffie-Hellman Ephemeral (DHE) key lengths, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors, aka "Schannel Information Disclosure Vulnerability."
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)
1.9 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2015-1716

Source: CCN
Type: Microsoft Security Bulletin MS15-055
Microsoft Security Bulletin MS15-055: Vulnerability in Schannel Could Allow Information Disclosure (3061518)

Source: CCN
Type: Microsoft Security Bulletin MS15-076
Vulnerability in Windows Remote Procedure Call Could Allow Elevation of Privilege (3067505)

Source: CCN
Type: Microsoft Security Bulletin MS15-085
Vulnerability in Mount Manager Could Allow Elevation of Privilege (3082487)

Source: CCN
Type: Microsoft Security Bulletin MS15-090
Vulnerabilities in Microsoft Windows Could Allow Security Bypass (3060716)

Source: CCN
Type: Microsoft Security Bulletin MS15-111
Security Update for Windows Kernel to Address Elevation of Privilege (3096447)

Source: CCN
Type: Microsoft Security Bulletin MS15-115
Security Update for Microsoft Windows to Address Remote Code Execution (3105864)

Source: CCN
Type: Microsoft Security Bulletin MS15-121
Security Update to Schannel to Address Spoofing (3081320)

Source: CCN
Type: Microsoft Security Bulletin MS15-122
Security Update for Kerberos to Address Security Feature Bypass (3105256)

Source: CCN
Type: Microsoft Security Bulletin MS15-128
Security Update for Microsoft Graphics Component to Address Remote Code Execution (3104503)

Source: CCN
Type: Microsoft Security Bulletin MS15-132
Security Update for Microsoft Windows to Address Remote Code Execution (3116162)

Source: CCN
Type: Microsoft Security Bulletin MS15-135
Security Update for Windows Kernel Mode Drivers to Address Elevation of Privilege (3119075)

Source: CCN
Type: Microsoft Security Bulletin MS16-008
Security Update for Kernel to Address Elevation of Privilege (3124605)

Source: CCN
Type: Microsoft Security Bulletin MS16-014
Security update for Microsoft Windows to Address Remote Code Execution (3134228)

Source: CCN
Type: Microsoft Security Bulletin MS16-031
Security Update for Microsoft Windows to Address Elevation of Privilege (3140410)

Source: CCN
Type: Microsoft Security Bulletin MS16-035
Security Update for .NET Framework to Address Security Feature Bypass (3141780)

Source: CCN
Type: Microsoft Security Bulletin MS16-044
Security Update for Windows OLE (3146706)

Source: CCN
Type: Microsoft Security Bulletin MS16-047
Security Update for SAM and LSAD Remote Protocols (3148527)

Source: CCN
Type: Microsoft Security Bulletin MS16-048
Security Update for CSRSS (3148528)

Source: CCN
Type: Microsoft Security Bulletin MS16-060
Security Update for Windows Kernel (3154846)

Source: CCN
Type: Microsoft Security Bulletin MS16-061
Security Update for Microsoft RPC (3155520)

Source: CCN
Type: Microsoft Security Bulletin MS16-075
Security Update for Windows SMB Server (3164038)

Source: CCN
Type: Microsoft Security Bulletin MS16-076
Security Update for Netlogon (3167691)

Source: CCN
Type: Microsoft Security Bulletin MS16-092
Security Update for Windows Kernel (3171910)

Source: CCN
Type: Microsoft Security Bulletin MS16-101
Security Update for Windows Authentication Methods (3178465)

Source: CCN
Type: Microsoft Security Bulletin MS16-110
Security Update for Windows (3178467)

Source: CCN
Type: Microsoft Security Bulletin MS16-111
Security Update for Windows Kernel (3186973)

Source: CCN
Type: Microsoft Security Bulletin MS16-120
Security Update for Microsoft Graphics Component (3192884)

Source: CCN
Type: Microsoft Security Bulletin MS16-122
Security Update for Microsoft Video Control (3195360)

Source: CCN
Type: Microsoft Security Bulletin MS16-123
Security Update for Kernel-Mode Drivers (3192892)

Source: CCN
Type: Microsoft Security Bulletin MS16-124
Security Update for Windows Registry (3193227)

Source: CCN
Type: Microsoft Security Bulletin MS16-126
Security Update for Microsoft Internet Messaging API (3196067)

Source: CCN
Type: Microsoft Security Bulletin MS16-131
Security Update for Microsoft Video Control (3199151)

Source: CCN
Type: Microsoft Security Bulletin MS16-137
Security Update for Windows Authentication Methods (3199173)

Source: CCN
Type: Microsoft Security Bulletin MS16-139
Security Update for Windows Kernel (3199720)

Source: CCN
Type: Microsoft Security Bulletin MS16-149
Security Update for Windows (3205655)

Source: CCN
Type: Microsoft Security Bulletin MS16-155
Security Update for .NET Framework (3205640)

Source: CCN
Type: Microsoft Security Bulletin MS17-004
Security Update for Local Security Authority Subsystem Service (3216771)

Source: CCN
Type: Microsoft Security Bulletin MS17-006
Cumulative Security Update for Internet Explorer (4013073)

Source: CCN
Type: Microsoft Security Bulletin MS17-013
Security Update for Microsoft Graphics Component (4013075)

Source: BID
Type: Third Party Advisory, VDB Entry
74489

Source: CCN
Type: BID-74489
Microsoft Windows CVE-2015-1716 Information Disclosure Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1032283

Source: MS
Type: Patch, Vendor Advisory
MS15-055

Source: XF
Type: UNKNOWN
ms-schannel-cve20151716-info-disc(102968)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:microsoft:windows_7:-:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_8:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_8.1:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_rt:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:-:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:microsoft:windows:server_2003:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:sp2:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:*:sp2:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:itanium:*
  • OR cpe:/o:microsoft:windows_7:-:sp1:-:*:-:-:x32:*
  • OR cpe:/o:microsoft:windows_7:*:sp1:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
  • OR cpe:/o:microsoft:windows_8:-:-:-:*:-:-:x32:*
  • OR cpe:/o:microsoft:windows_8:*:*:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2012:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_rt:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_8.1:-:-:-:*:-:-:x32:*
  • OR cpe:/o:microsoft:windows_8.1:*:*:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:28672
    V
    		Schannel information disclosure vulnerability - CVE-2015-1716 (MS15-055)
    2015-07-06
    BACK
    microsoft windows 7 - sp1
    microsoft windows 8 -
    microsoft windows 8.1 -
    microsoft windows rt -
    microsoft windows rt 8.1 -
    microsoft windows server 2003 - sp2
    microsoft windows server 2008 - sp2
    microsoft windows server 2008 r2 sp1
    microsoft windows server 2008 r2 sp1
    microsoft windows server 2012 -
    microsoft windows server 2012 r2
    microsoft windows vista - sp2
    microsoft windows server_2003 sp2
    microsoft windows server_2003 sp2
    microsoft windows server_2003 sp2
    microsoft windows vista * sp2
    microsoft windows vista * sp2
    microsoft windows server 2008 sp2
    microsoft windows server 2008 sp2
    microsoft windows server 2008
    microsoft windows 7 - sp1
    microsoft windows 7 * sp1
    microsoft windows server 2008 r2
    microsoft windows server 2008 r2
    microsoft windows 8 - -
    microsoft windows 8 *
    microsoft windows server 2012
    microsoft windows rt -
    microsoft windows 8.1 - -
    microsoft windows 8.1 *
    microsoft windows server 2012 r2
    microsoft windows rt 8.1 *