CVE-2016-3299 — Improper Access Control in Microsoft Windows 10

CWE-284 — Improper Access Control3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

7.3%

top 8.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Windows 10 Microsoft Windows Server 2008 Microsoft Windows Server 2012 +11 more

Timeline

PublishedAug 9

Latest updateMay 14

Description

Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allow remote attackers to hijack network traffic or bypass intended Enhanced Protected Mode (EPM) or application container protection mechanisms, and consequently render untrusted content in a browser, by leveraging how NetBIOS validates responses, aka "NetBIOS Spoofing Vulnerability."

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 1.6 | Impact: 3.6

Affected Packages13 packages

▶msrcmsrc/windows_server_2008

▶msrcmsrc/windows_server_2012

▶msrcmsrc/windows_server_2008_r2

▶msrcmsrc/windows_server_2012_r2

▶NVDmicrosoft/windowsr2

🔴Vulnerability Details

GHSA

GHSA-h92r-hw98-gw25: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8↗2022-05-14

▶

📋Vendor Advisories

Microsoft

NetBIOS Elevation of Privilege Vulnerability↗2016-06-14

▶