CVE-2016-0149

Name of the Vulnerable Software and Affected Versions Microsoft .NET Framework versions 2.0 SP2 through 4.6.1

Description The issue allows man-in-the-middle attackers to obtain sensitive cleartext information via vectors involving injection of cleartext data into the client-server data stream. An attacker who successfully exploited this vulnerability could decrypt encrypted SSL/TLS traffic by first injecting unencrypted data into the secure channel and then performing a man-in-the-middle attack between the targeted client and a legitimate server.

Recommendations For Microsoft .NET Framework versions 2.0 SP2 through 4.6.1, consider disabling the use of TLS/SSL protocol until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation. Avoid using the encryption component of Microsoft .NET Framework in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.