Vulnerability CVE-2009-1536 - CERT Civis.Net

Vulnerability Name:

CVE-2009-1536 (CCN-52113)

Assigned:

2009-08-11

Published:

2009-08-11

Updated:

2018-10-12

Summary:

ASP.NET in Microsoft .NET Framework 2.0 SP1 and SP2 and 3.5 Gold and SP1, when ASP 2.0 is used in integrated mode on IIS 7.0, does not properly manage request scheduling, which allows remote attackers to cause a denial of service (daemon outage) via a series of crafted HTTP requests, aka "Remote Unauthenticated Denial of Service in ASP.NET Vulnerability."

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

2.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P)
1.9 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: MISC
Type: Vendor Advisory
http://blogs.technet.com/srd/archive/2009/08/11/ms09-035-asp-net-denial-of-service-vulnerability.aspx

Source: MITRE
Type: CNA
CVE-2009-1536

Source: OSVDB
Type: Broken Link
56905

Source: CCN
Type: SA36127
Microsoft .NET Framework Denial of Service Vulnerability

Source: SECUNIA
Type: Third Party Advisory
36127

Source: CCN
Type: SECTRACK ID: 1022715
Microsoft ASP.NET Request Scheduling Flaw Lets Remote Users Deny Service

Source: CCN
Type: Microsoft Security Bulletin MS09-036
Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957)

Source: CCN
Type: OSVDB ID: 56905
Microsoft .NET Framework Request Scheduling Crafted HTTP Request Remote DoS

Source: BID
Type: Patch, Third Party Advisory, VDB Entry
35985

Source: CCN
Type: BID-35985
Microsoft ASP.NET Request Scheduling Denial Of Service Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1022715

Source: CERT
Type: Third Party Advisory, US Government Resource
TA09-223A

Source: VUPEN
Type: Permissions Required, Third Party Advisory
ADV-2009-2231

Source: MS
Type: UNKNOWN
MS09-036

Source: XF
Type: UNKNOWN
win-aspnet-framework-http-dos(52113)

Source: OVAL
Type: Third Party Advisory
oval:org.mitre.oval:def:6393

Vulnerable Configuration:

Configuration 1:

cpe:/a:microsoft:.net_framework:2.0:sp1:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_framework:3.5:-:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_framework:3.5:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:-:sp1:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:microsoft:.net_framework:2.0:sp1:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_framework:2.0:sp2:*:*:*:*:*:*

OR cpe:/a:microsoft:.net_framework:3.5:-:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:*:*

AND

cpe:/o:microsoft:windows_vista:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:-:*:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:-:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:-:sp1:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:itanium:*

OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x64:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:6393	V	Remote Unauthenticated Denial of Service in ASP.NET Vulnerability	2014-08-18