CVE-2016-3298
Published: 14 October 2016
Summary
CVE-2016-3298 is a medium-severity an unspecified weakness vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 3.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-4 (Information Flow Enforcement).
Deeper analysis
Microsoft Internet Explorer 9 through 11 and the Internet Messaging API in Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 contain an information disclosure vulnerability that permits remote attackers to determine the existence of arbitrary files on a target system through a specially crafted web site. The flaw is tracked as CVE-2016-3298 with a CVSS score of 6.5, reflecting network attack vector, low complexity, and no required privileges beyond user interaction.
A remote attacker can host or compromise a web site that triggers the vulnerability when visited by a user running the affected software, resulting in disclosure of whether specific files are present without affecting confidentiality beyond existence checks or enabling further integrity or availability impacts.
Microsoft addressed the issue through security updates published in bulletins MS16-118 and MS16-126, which practitioners should apply to the listed Windows and Internet Explorer versions to prevent exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-4330
Vulnerability details
Microsoft Internet Explorer 9 through 11 and the Internet Messaging API in Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow remote attackers to determine the existence of arbitrary files via a crafted web…
more
site, aka "Internet Explorer Information Disclosure Vulnerability."
- CWE(s)
- KEV Date Added
- 24 May 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor security updates (MS16-118/MS16-126) that eliminate the IE/WinINet file-existence disclosure flaw.
Explicitly calls for monitoring that can identify attempts to abuse the browser to disclose the presence of arbitrary local files.
Enforces information-flow rules that can block or sanitize the unauthorized leakage of file-existence metadata from the browser process to a remote site.