Microsoft Forefront UAG vulnerabilities could allow information disclosure
Report ID: MS201204004
Date Published: 12 April 2012
Criticality: Important
Compromise Type: information-disclosure spoofing
Compromise From: remote
Affected Product/Component:
Microsoft Forefront Unified Access Gateway 2010 SP1
Microsoft Forefront Unified Access Gateway 2010 SP1 Update 1
Summary
Two vulnerabilities in Microsoft Forefront Unified Access Gateway (UAG) could lead to information disclosure, possibly allowing an attacker to view secured resources.
Detailed Description
Microsoft has released a security update to address two reported vulnerabilities in Microsoft Forefront Unified Access Gateway (UAG), each of which could lead to information disclosure.
The first one, a spoofing vulnerability, could be exploited to impersonate a legitimate UAG web interface and trick users into surrendering their private data. This vulnerability was caused by failure to validate and confirm redirection to an external website.
The second vulnerability was caused by incorrect configuration of a default website on a UAG server, and an attacker could use this condition to view secured resources on the server.
Both vulnerabilities have been resolved in the latest update, which introduces modification on UAG code and UAG server's default binding settings. Users are recommended to install this latest update to protect their system from potential exploits.
CVE Reference
CVE-2012-0146
CVE-2012-0147
Solution
Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms12-026)
