Microsoft Security Bulletin MS15-041 - Important

Vulnerability in .NET Framework Could Allow Information Disclosure (3048010)

Published: April 14, 2015 | Updated: May 12, 2015

Version: 2.0

Executive Summary

This security update resolves a vulnerability in Microsoft .NET Framework. The vulnerability could allow information disclosure if an attacker sends a specially crafted web request to an affected server that has custom error messages disabled. An attacker who successfully exploited the vulnerability would be able to view parts of a web configuration file, which could expose sensitive information.

This security update is rated Important for Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, Microsoft .NET Framework 4.5, Microsoft .NET Framework 4.5.1, and Microsoft .NET Framework 4.5.2 on affected releases of Microsoft Windows. For more information, see the Affected Software section.

The security update addresses the vulnerability by removing file content details from the error messages that were facilitating the information disclosure. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability.

For more information about this update, see Microsoft Knowledge Base Article 3048010.

Affected Software

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Operating System Component Maximum Security Impact Aggregate Severity Rating Updates Replaced
Windows Server 2003
Windows Server 2003 Service Pack 2 Microsoft .NET Framework 1.1 Service Pack 1 (3037572) Information Disclosure Important 2901115 in MS14-009
Windows Server 2003 Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2 (3037577) Information Disclosure Important 2901111 in MS14-009
Windows Server 2003 Service Pack 2 Microsoft .NET Framework 4[1](3037578) Information Disclosure Important 2901110 in MS14-009
Windows Server 2003 x64 Edition Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2 (3037577) Information Disclosure Important 2901111 in MS14-009
Windows Server 2003 x64 Edition Service Pack 2 Microsoft .NET Framework 4[1](3037578) Information Disclosure Important 2901110 in MS14-009
Windows Server 2003 with SP2 for Itanium-based Systems Microsoft .NET Framework 2.0 Service Pack 2 (3037577) Information Disclosure Important 2901111 in MS14-009
Windows Server 2003 with SP2 for Itanium-based Systems Microsoft .NET Framework 4[1](3037578) Information Disclosure Important 2901110 in MS14-009
Windows Vista
Windows Vista Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2 (3037573) Information Disclosure Important 2901113 in MS14-009
Windows Vista Service Pack 2 Microsoft .NET Framework 4[1](3037578) Information Disclosure Important 2901110 in MS14-009
Windows Vista Service Pack 2 Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) Information Disclosure Important 2901126 in MS14-009
Windows Vista x64 Edition Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2 (3037573) Information Disclosure Important 2901113 in MS14-009
Windows Vista x64 Edition Service Pack 2 Microsoft .NET Framework 4[1](3037578) Information Disclosure Important 2901110 in MS14-009
Windows Vista x64 Edition Service Pack 2 Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) Information Disclosure Important 2901126 in MS14-009
Windows Server 2008
Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2 (3037573) Information Disclosure Important 2901113 in MS14-009
Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft .NET Framework 4[1](3037578) Information Disclosure Important 2901110 in MS14-009
Windows Server 2008 for 32-bit Systems Service Pack 2 Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) Information Disclosure Important 2901126 in MS14-009
Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2 (3037573) Information Disclosure Important 2901113 in MS14-009
Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft .NET Framework 4[1](3037578) Information Disclosure Important 2901110 in MS14-009
Windows Server 2008 for x64-based Systems Service Pack 2 Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) Information Disclosure Important 2901126 in MS14-009
Windows Server 2008 for Itanium-based Systems Service Pack 2 Microsoft .NET Framework 2.0 Service Pack 2 (3037573) Information Disclosure Important 2901113 in MS14-009
Windows Server 2008 for Itanium-based Systems Service Pack 2 Microsoft .NET Framework 4[1](3037578) Information Disclosure Important 2901110 in MS14-009
Windows 7
Windows 7 for 32-bit Systems Service Pack 1 Microsoft .NET Framework 3.5.1 (3037574) Information Disclosure Important 2901112 in MS14-009
Windows 7 for 32-bit Systems Service Pack 1 Microsoft .NET Framework 4[1](3037578) Information Disclosure Important 2901110 in MS14-009
Windows 7 for 32-bit Systems Service Pack 1 Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) Information Disclosure Important 2901126 in MS14-009
Windows 7 for x64-based Systems Service Pack 1 Microsoft .NET Framework 3.5.1 (3037574) Information Disclosure Important 2901112 in MS14-009
Windows 7 for x64-based Systems Service Pack 1 Microsoft .NET Framework 4[1](3037578) Information Disclosure Important 2901110 in MS14-009
Windows 7 for x64-based Systems Service Pack 1 Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) Information Disclosure Important 2901126 in MS14-009
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft .NET Framework 3.5.1 (3037574) Information Disclosure Important 2901112 in MS14-009
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft .NET Framework 4[1](3037578) Information Disclosure Important 2901110 in MS14-009
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) Information Disclosure Important 2901126 in MS14-009
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Microsoft .NET Framework 3.5.1 (3037574) Information Disclosure Important 2901112 in MS14-009
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Microsoft .NET Framework 4[1](3037578) Information Disclosure Important 2901110 in MS14-009
Windows 8 and Windows 8.1
Windows 8 for 32-bit Systems Microsoft .NET Framework 3.5 (3037575) Information Disclosure Important 2901120 in MS14-009
Windows 8 for 32-bit Systems Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037580) Information Disclosure Important 2901119 and 2901127 in MS14-009
Windows 8 for x64-based Systems Microsoft .NET Framework 3.5 (3037575) Information Disclosure Important 2901120 in MS14-009
Windows 8 for x64-based Systems Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037580) Information Disclosure Important 2901119 and 2901127 in MS14-009
Windows 8.1 for 32-bit Systems Microsoft .NET Framework 3.5 (3037576) Information Disclosure Important 2901125 in MS14-009
Windows 8.1 for 32-bit Systems Microsoft .NET Framework 4.5.1/4.5.2 (3037579) Information Disclosure Important 2901128 in MS14-009
Windows 8.1 for x64-based Systems Microsoft .NET Framework 3.5 (3037576) Information Disclosure Important 2901125 in MS14-009
Windows 8.1 for x64-based Systems Microsoft .NET Framework 4.5.1/4.5.2 (3037579) Information Disclosure Important 2901128 in MS14-009
Windows Server 2012 and Windows Server 2012 R2
Windows Server 2012 Microsoft .NET Framework 3.5 (3037575) Information Disclosure Important 2901120 in MS14-009
Windows Server 2012 Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037580) Information Disclosure Important 2901119 and 2901127 in MS14-009
Windows Server 2012 R2 Microsoft .NET Framework 3.5 (3037576) Information Disclosure Important 2901125 in MS14-009
Windows Server 2012 R2 Microsoft .NET Framework 4.5.1/4.5.2 (3037579) Information Disclosure Important 2901128 in MS14-009
Windows RT and Windows RT 8.1
Windows RT Microsoft .NET Framework 4.5/4.5.1/4.5.2[2](3037580) Information Disclosure Important 2901119 and 2901127 in MS14-009
Windows RT 8.1 Microsoft .NET Framework 4.5.1/4.5.2[2](3037579) Information Disclosure Important 2901128 in MS14-009
Server Core installation option
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Microsoft .NET Framework 3.5.1 (3037574) Information Disclosure Important 2901112 in MS14-009
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Microsoft .NET Framework 4[1](3037578) Information Disclosure Important 2901110 in MS14-009
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037581) Information Disclosure Important 2901126 in MS14-009
Windows Server 2012 (Server Core installation) Microsoft .NET Framework 3.5 (3037575) Information Disclosure Important 2901120 in MS14-009
Windows Server 2012 (Server Core installation) Microsoft .NET Framework 4.5/4.5.1/4.5.2 (3037580) Information Disclosure Important 2901119 and 2901127 in MS14-009
Windows Server 2012 R2 (Server Core installation) Microsoft .NET Framework 3.5 (3037576) Information Disclosure Important 2901125 in MS14-009
Windows Server 2012 R2 (Server Core installation) Microsoft .NET Framework 4.5.1/4.5.2 (3037579) Information Disclosure Important 2901128 in MS14-009

[1].NET Framework 4 and .NET Framework 4 Client Profile affected.

[2]This update is available via Windows Update only.

 

Update FAQ

How do I determine which version of Microsoft .NET Framework is installed?
You can install and run multiple versions of .NET Framework on a system, and you can install the versions in any order. For more information, see Microsoft Knowledge Base Article 318785.

What is the difference between .NET Framework 4 and .NET Framework 4 Client Profile?
The .NET Framework version 4 redistributable packages are available in two profiles: .NET Framework 4 and .NET Framework 4 Client Profile. The .NET Framework 4 Client Profile is a subset of the .NET Framework 4 profile that is optimized for client applications. It provides functionality for most client applications, including Windows Presentation Foundation (WPF), Windows Forms, Windows Communication Foundation (WCF), and ClickOnce features. This enables faster deployment and a smaller install package for applications that target the .NET Framework 4 Client Profile. For more information, see the MSDN article, .NET Framework Client Profile

There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Affected Software table for the software?
Yes. Customers should apply all updates offered for the software installed on their systems.

Do I need to install these security updates in a particular sequence?
No. Multiple updates for a given system can be applied in any sequence.

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the April bulletin summary.

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software ASP.NET Information Disclosure Vulnerability - CVE-2015-1648 Aggregate Severity Rating
Microsoft .NET Framework 1.1 Service Pack 1
Microsoft .NET Framework 1.1 Service Pack 1 on Microsoft Windows Server 2003 Service Pack 2 (3037572) Important Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Microsoft Windows Server 2003 Service Pack 2 (3037577) Important Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Microsoft Windows Server 2003 x64 Edition Service Pack 2 (3037577) Important Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 when installed on Microsoft Windows Server 2003 for Itanium-based Systems Service Pack 2 (3037577) Important Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Vista Service Pack 2 (3037573) Important Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Vista x64 Edition Service Pack 2 (3037573) Important Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for 32-bit Systems Service Pack 2 (3037573) Important Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for x64-based Systems Service Pack 2 (3037573) Important Information Disclosure Important
Microsoft .NET Framework 2.0 Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2 (3037573) Important Information Disclosure Important
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5 on Windows 8 for 32-bit Systems (3037575) Important Information Disclosure Important
Microsoft .NET Framework 3.5 on Windows 8 for x64-based Systems (3037575) Important Information Disclosure Important
Microsoft .NET Framework 3.5 on Windows Server 2012 (3037575) Important Information Disclosure Important
Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) (3037575) Important Information Disclosure Important
Microsoft .NET Framework 3.5 on Windows 8.1 for 32-bit Systems (3037576) Important Information Disclosure Important
Microsoft .NET Framework 3.5 on Windows 8.1 for x64-based Systems (3037576) Important Information Disclosure Important
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (3037576) Important Information Disclosure Important
Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) (3037576) Important Information Disclosure Important
Microsoft .NET Framework 3.5.1
Microsoft .NET Framework 3.5.1 on Windows 7 for 32-bit Systems Service Pack 1 (3037574) Important Information Disclosure Important
Microsoft .NET Framework 3.5.1 on Windows 7 for x64-based Systems Service Pack 1 (3037574) Important Information Disclosure Important
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3037574) Important Information Disclosure Important
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3037574) Important Information Disclosure Important
Microsoft .NET Framework 3.5.1 on Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (3037574) Important Information Disclosure Important
Microsoft .NET Framework 4
Microsoft .NET Framework 4 when installed on Windows Server 2003 Service Pack 2 (3037578)[1] Important Information Disclosure Important
Microsoft .NET Framework 4 when installed on Windows Server 2003 x64 Edition Service Pack 2 (3037578)[1] Important Information Disclosure Important
Microsoft .NET Framework 4 when installed on Windows Server 2003 with SP2 for Itanium-based Systems (3037578)[1] Important Information Disclosure Important
Microsoft .NET Framework 4 on Windows Vista Service Pack 2 (3037578)[1] Important Information Disclosure Important
Microsoft .NET Framework 4 on Windows Vista x64 Edition Service Pack 2 (3037578)[1] Important Information Disclosure Important
Microsoft .NET Framework 4 when installed on Windows Server 2008 for 32-bit Systems Service Pack 2 (3037578)[1] Important Information Disclosure Important
Microsoft .NET Framework 4 when installed on Windows Server 2008 for x64-based Systems Service Pack 2 (3037578)[1] Important Information Disclosure Important
Microsoft .NET Framework 4 when installed on Windows Server 2008 for Itanium-based Systems Service Pack 2 (3037578)[1] Important Information Disclosure Important
Microsoft .NET Framework 4 when installed on Windows 7 for 32-bit Systems Service Pack 1 (3037578)[1] Important Information Disclosure Important
Microsoft .NET Framework 4 when installed on Windows 7 for x64-based Systems Service Pack 1 (3037578)[1] Important Information Disclosure Important
Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3037578)[1] Important Information Disclosure Important
Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3037578)[1] Important Information Disclosure Important
Microsoft .NET Framework 4 when installed on Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 (3037578)[1] Important Information Disclosure Important
Microsoft .NET Framework 4.5/4.5.1/4.5.2
Microsoft .NET Framework 4.5/4.5.1/4.5.2 when installed on Windows Vista Service Pack 2 (3037581) Important Information Disclosure Important
Microsoft .NET Framework 4.5/4.5.1/4.5.2 when installed on Windows Vista x64 Edition Service Pack 2 (3037581) Important Information Disclosure Important
Microsoft .NET Framework 4.5/4.5.1/4.5.2 when installed on Windows Server 2008 for 32-bit Systems Service Pack 2 (3037581) Important Information Disclosure Important
Microsoft .NET Framework 4/4.5.1/4.5.2 when installed on Windows Server 2008 for x64-based Systems Service Pack 2 (3037581) Important Information Disclosure Important
Microsoft .NET Framework 4.5/4.5.1/4.5.2 when installed on Windows 7 for 32-bit Systems Service Pack 1 (3037581) Important Information Disclosure Important
Microsoft .NET Framework 4.5/4.5.1/4.5.2 when installed on Windows 7 for x64-based Systems Service Pack 1 (3037581) Important Information Disclosure Important
Microsoft .NET Framework 4.5/4.5.1/4.5.2 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (3037581) Important Information Disclosure Important
Microsoft .NET Framework 4.5/4.5.1/4.5.2 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) (3037581) Important Information Disclosure Important
Microsoft .NET Framework 4.5/4.5.1/4.5.2 on Windows 8 for 32-bit Systems (3037580) Important Information Disclosure Important
Microsoft .NET Framework 4.5.1/4.5.2 on Windows 8.1 for 32-bit Systems (3037579) Important Information Disclosure Important
Microsoft .NET Framework 4.5/4.5.1/4.5.2 on Windows 8 for x64-based Systems (3037580) Important Information Disclosure Important
Microsoft .NET Framework 4.5.1/4.5.2 on Windows 8.1 for x64-based Systems (3037579) Important Information Disclosure Important
Microsoft .NET Framework 4.5/4.5.1/4.5.2 on Windows Server 2012 (3037580) Important Information Disclosure Important
Microsoft .NET Framework 4.5/4.5.1/4.5.2 on Windows Server 2012 (Server Core installation) (3037580) Important Information Disclosure Important
Microsoft .NET Framework 4.5.1/4.5.2 on Windows Server 2012 R2 (3037579) Important Information Disclosure Important
Microsoft .NET Framework 4.5.1/4.5.2 on Windows Server 2012 R2 (Server Core installation) (3037579) Important Information Disclosure Important
Microsoft .NET Framework 4.5/4.5.1/4.5.2 on Windows RT (3037580) Important Information Disclosure Important
Microsoft .NET Framework 4.5.1/4.5.2 on Windows RT 8.1 (3037579) Important Information Disclosure Important

[1].NET Framework 4 and .NET Framework 4 Client Profile affected.

Vulnerability Information

ASP.NET Information Disclosure Vulnerability - CVE-2015-1648

An information disclosure vulnerability exists in ASP.NET that is caused when ASP.NET improperly handles certain requests on systems that have custom error messages disabled. An attacker who successfully exploited the vulnerability would be able to view parts of a web configuration file, which could expose sensitive information.

To exploit this vulnerability, an attacker could a send a specially crafted web request to an affected server with the intention of eliciting an error message that could disclose information pertaining to the source line that originated the exception. Ultimately, this could disclose information that was not intended to be accessible. The security update addresses the vulnerability by removing file content details from the error messages that were facilitating the information disclosure.

By default, ASP.NET applications are not exposed to this vulnerability because they are configured to not display detailed error messages to remote users. Sometimes developers turn on detailed error messages to gather information and then fail to turn them off, which would then expose the application to this vulnerability.

The default setting in web.config is as follows:

    <customerrors mode="remoteOnly">

In a production environment, best practice would see this entry changed to the following:

    </customerrors><customerrors mode="On" defaultredirect="ErrorPage.htm"> 

As a general rule, in production environments developers should never use the following:

    </customerrors><customerrors mode="off">

Note that error messages are customizable based on the error code. For more information, see customErrors Element (ASP.NET Settings Schema).

As an added protection against accidental disabling of custom errors, machine administrations can turn on retail mode. See the related workaround in this bulletin for more information.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

Mitigating Factors

The following mitigating factors may be helpful in your situation:

  • Only IIS servers that serve verbose error messages are affected; production servers are unlikely to be affected.

Workarounds

The following workarounds may be helpful in your situation:

  • Configure .NET in retail mode on all web servers

    In the machine.config files of all web servers, add the setting "<deployment retail="true" />" to the "system.web" section of the "configuration" section.

    On 32-bit systems, machine.config is found at %windir%\Microsoft.NET\Framework\[version]\config\machine.config.  

    On 64-bit systems, machine.config is found at %windir%\Microsoft.NET\Framework64\[version]\config\machine.config.

    For more information on this setting, see deployment Element (ASP.NET Settings Schema).

    Impact of workaround. All ASP.NET detailed error messages from all websites on each server will be suppressed.

    How to undo the workaround.

    To undo the workaround, remove the setting that was added by way of this procedure.

     

  • Enable custom errors for all websites

    In the web.config files for all websites, ensure that the "customErrors" setting (in the "system.web" section of the "configuration" section") is not set to “off”.  Safe values are "on", "remoteonly", or no setting at all.

    For more information on the customErrors setting, see customErrors Element (ASP.NET Settings Schema).

    Impact of workaround. All ASP.NET detailed error messages from all websites will be suppressed.

    How to undo the workaround.

    To undo the workaround, revert the settings that were established by way of this procedure.

Security Update Deployment

For Security Update Deployment information see the Microsoft Knowledge Base article referenced in the Executive Summary.

Acknowledgments

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.  

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (April 14, 2015): Bulletin published.
  • V2.0 (May 12, 2015): Bulletin re-released to address issues with the 3037580 update for Microsoft .NET Framework 4.5/4.5.1/4.5.2 on affected editions of Microsoft Windows. Customers running these versions of .NET Framework are encouraged to install the new version of the 3037580 update to be protected from the vulnerability discussed in this bulletin. See Microsoft Knowledge Base Article 3037580 for more information.

Page generated 2015-05-06 13:24Z-07:00.