Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Vulnerability protection

Microsoft Forefront UAG vulnerabilities could allow information disclosure


Report ID: MS201204004
Date Published: 12 April 2012

Criticality: Important
Compromise Type: information-disclosure spoofing
Compromise From: remote


Affected Product/Component:

Microsoft Forefront Unified Access Gateway 2010 SP1
Microsoft Forefront Unified Access Gateway 2010 SP1 Update 1




Summary

Two vulnerabilities in Microsoft Forefront Unified Access Gateway (UAG) could lead to information disclosure, possibly allowing an attacker to view secured resources. 



Detailed Description

Microsoft has released a security update to address two reported vulnerabilities in Microsoft Forefront Unified Access Gateway (UAG), each of which could lead to information disclosure.

The first one, a spoofing vulnerability, could be exploited to impersonate a legitimate UAG web interface and trick users into surrendering their private data. This vulnerability was caused by failure to validate and confirm redirection to an external website.

The second vulnerability was caused by incorrect configuration of a default website on a UAG server, and an attacker could use this condition to view secured resources on the server.

Both vulnerabilities have been resolved in the latest update, which introduces modification on UAG code and UAG server's default binding settings. Users are recommended to install this latest update to protect their system from potential exploits.



CVE Reference

CVE-2012-0146
CVE-2012-0147



Solution

Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms12-026)



Security Advisories

For a list of known vulnerabilities affecting F-Secure products and the released fixes, please refer to the Security Advisories page.