Microsoft Security Response Center

*Why is this OpenSSL Software Foundation CVE included in the Security Update Guide?* The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

*How could an attacker exploit this vulnerability?* The ADFS (Active Directory Federation Services) services are vulnerable during the logout redirect request to cross-site scripting of the post logout redirect URI. An attacker who successfully exploited this vulnerability could leave an application using this ADFS library vulnerable to common XSS attacks.

*What type of information could be disclosed by this vulnerability?* The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.

*What type of information could be disclosed by this vulnerability?* The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

*The CVSS Score says user action is required. What type of user action is required?* A user would have to open a maliciously crafted email sent to Dynamics 365 Customer Engagement.

*What security feature could be bypassed by exploiting this vulnerability?* This vulnerability could allow an attacker to bypass ADFS BannedIPList entries for WS-Trust workflows.

*What type of information could be disclosed by this vulnerability?* An attacker that successfully exploited this vulnerability could recover cleartext passwords from memory.

*Are there any pre-requisites for this vulnerability to be exploited in Intune Management Extension?* This vulnerability only exists when Intune Management Extension is enabled as managed installer. Enabling IME as managed installer requires local administrator privileges. *What should I do to protect myself from this vulnerability?* No action is required. As soon as the client connects to the service, it automatically receives a message to update.

*In what instances do I need to install the security update for this vulnerability?* This vulnerability only affects machines that have the SCOM web console installed. SCOM web console server machines should have this update installed to be protected from the vulnerability. *Do I need to install the update if my machine is not set up as a web console server?* No. Customers whose machines are not SCOM web console server machines do not need to install this update.

*What type of information could be disclosed by this vulnerability?* The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.