MS12-026: Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Information Disclosure (2663860) (uncredentialed check)

medium Nessus Plugin ID 58902

Synopsis

A web application on the remote Windows host has multiple vulnerabilities.

Description

The version of Forefront Unified Access Gateway (UAG) running on the remote host has multiple vulnerabilities :

- A spoofing vulnerability exists that could allow an attacker to redirect a victim to a malicious website.
An attacker would have to trick the victim into clicking a specially crafted link in order to trigger the vulnerability. (CVE-2012-0146)

- A flaw exists that could allow an unauthenticated user to access the default website of the UAG server from the external network. (CVE-2012-0147)

Solution

Microsoft has released a set of patches for UAG 2010 SP1 and UAG 2010 SP1 Update 1.

See Also

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-026

Plugin Details

Severity: Medium

ID: 58902

File Name: forefront_uag_ms12-026.nbin

Version: 1.245

Type: remote

Family: Web Servers

Published: 4/27/2012

Updated: 11/22/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.9

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:microsoft:forefront_unified_access_gateway, cpe:/o:microsoft:windows

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/10/2012

Vulnerability Publication Date: 4/10/2012

Reference Information

CVE: CVE-2012-0146, CVE-2012-0147

BID: 52903, 52909

MSFT: MS12-026

MSKB: 2649261, 2649262