TLS/SSL Information Disclosure Vulnerability

2016-05-12T07:00:00
ID MS:CVE-2016-0149
Type mscve
Reporter Microsoft
Modified 2016-05-12T07:00:00

Description

An information disclosure vulnerability exists in the TLS/SSL protocol, implemented in the encryption component of Microsoft .NET Framework. An attacker who successfully exploited this vulnerability could decrypt encrypted SSL/TLS traffic.

To exploit the vulnerability, an attacker would first have to inject unencrypted data into the secure channel and then perform a man-in-the-middle (MiTM) attack between the targeted client and a legitimate server. The update addresses the vulnerability by modifying the way that the .NET encryption component sends and receives encrypted network packets.

Important: Microsoft recommends that customers download and test the applicable update in controlled/managed environments before deploying it in their production environments.

In case of application compatibility issues, the recommended approach is to ensure that the server and client endpoints are correctly implementing the TLS RFC, and that they can interpret two split records containing 1, n-1 bytes respectively after this update. For more information and developer guidance, see Microsoft Knowledge Base Article 3155464.

The following mitigating factors may be helpful in your situation: Customers who have enabled TLS1.2 are not affected. For more information and developer guidance, see Microsoft Knowledge Base Article 3155464.