|
[Japanese]
|
JVNDB-2016-000195
|
Cryptography API: Next Generation (CNG) vulnerable to denial-of-service (DoS)
|
|
Cryptography API: Next Generation (CNG) contains an issue in BCryptDecrypt, which may result in a denial-of-service (DoS).
ASHINO, Yuki of NEC Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 3.3 (Low) [IPA Score]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Partial
|
|
|
Microsoft Corporation
- Microsoft Windows 7 and earlier (Cryptography API: Next Generation (CNG))
|
According to the developer, CNG included in Windows 8 and later is not affected by this vulnerability.
|
|
If CNG processes a specially crafted key data, the product may be terminated abnormally.
|
|
[Upgrade Windows]
According to the developer, CNG included in Windows 8 and later is not affected by this vulnerability.
Upgrade Windows to 8.1 or later.
The developer states the comment below:
"The impact of this issue is limited. It could only result in a localized Denial of Service condition, at worst. This could not be exploited or code executed remotely.
The issue does not exist in Windows 8 and above. We recommend that customers upgrade their system to the supported version of Windows 8.1 or above."
|
|
Microsoft Corporation
|
|
- Buffer Errors(CWE-119) [IPA Evaluation]
|
|
|
|
- JVN : JVN#20786316
|
|
- [2016/10/07]
Web page was published
|
