Microsoft .NET Framework 2.0 SP2/3.5 SP1/3.5.1/4.0 Forms Authentication Return URL input validation
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.6 | $0-$5k | 0.00 |
A vulnerability was found in Microsoft .NET Framework 2.0 SP2/3.5 SP1/3.5.1/4.0 (Programming Language Software). It has been declared as critical. Affected by this vulnerability is some unknown processing of the component Forms Authentication. The manipulation of the argument Return URL with an unknown input leads to a input validation vulnerability. The CWE definition for the vulnerability is CWE-20. The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
Open redirect vulnerability in the Forms Authentication feature in the ASP.NET subsystem in Microsoft .NET Framework 2.0 SP2, 3.5 SP1, 3.5.1, and 4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted return URL, aka "Insecure Redirect in .NET Form Authentication Vulnerability."
The weakness was disclosed 12/29/2011 by Rene as MS11-100 as confirmed bulletin (Technet). It is possible to read the advisory at technet.microsoft.com. The public release has been coordinated in cooperation with Microsoft. This vulnerability is known as CVE-2011-3415 since 09/09/2011. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details and also a public exploit are known.
After 3 months, there has been an exploit disclosed. It is declared as proof-of-concept. We expect the 0-day to have been worth approximately $5k-$25k. The vulnerability scanner Nessus provides a plugin with the ID 57414 (MS11-100: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows : Microsoft Bulletins. The commercial vulnerability scanner Qualys is able to test this issue with plugin 90764 (Microsoft ASP.NET Denial of Service Vulnerability (KB2659883 and MS11-100)).
Applying the patch MS11-100 is able to eliminate this problem. The bugfix is ready for download at technet.microsoft.com. A possible mitigation has been published immediately after the disclosure of the vulnerability. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 11963.
The vulnerability is also documented in the databases at X-Force (72028) and Tenable (57414). The entries 4510, 4508, 4506 and 4509 are pretty similar.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 6.6
VulDB Base Score: 7.3
VulDB Temp Score: 6.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Input validationCWE: CWE-20
ATT&CK: Unknown
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 57414
Nessus Name: MS11-100: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 902806
OpenVAS Name: Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2638420)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
Patch: MS11-100
TippingPoint: 🔍
ISS Proventia IPS: 🔍
PaloAlto IPS: 🔍
Fortigate IPS: 🔍
Timeline
09/09/2011 🔍12/29/2011 🔍
12/29/2011 🔍
12/29/2011 🔍
12/29/2011 🔍
12/29/2011 🔍
12/30/2011 🔍
01/01/2012 🔍
01/21/2012 🔍
03/21/2012 🔍
03/20/2021 🔍
Sources
Vendor: microsoft.comAdvisory: MS11-100
Researcher: Rene
Status: Confirmed
Coordinated: 🔍
CVE: CVE-2011-3415 (🔍)
OVAL: 🔍
IAVM: 🔍
X-Force: 72028
Vulnerability Center: 34155 - [MS11-100] Microsoft ASP .NET Forms Authentication Feature Insecure Redirect Vulnerability, Medium
SecurityFocus: 51202 - Microsoft .NET Framework CVE-2011-3415 Form Authentication URI Open Redirection Vulnerability
Secunia: 47323 - Microsoft .NET Framework Multiple Vulnerabilities, Moderately Critical
OSVDB: 78054 - Microsoft .NET Framework Forms Authentication Return URL Handling Arbitrary Site Redirect
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 01/21/2012 01:00Updated: 03/20/2021 10:44
Changes: 01/21/2012 01:00 (56), 04/05/2017 15:08 (34), 03/20/2021 10:41 (7), 03/20/2021 10:44 (1)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.