Vulnerability Name: | CVE-2009-2505 (CCN-54438) | ||||||||
Assigned: | 2009-12-08 | ||||||||
Published: | 2009-12-08 | ||||||||
Updated: | 2018-10-12 | ||||||||
Summary: | The Internet Authentication Service (IAS) in Microsoft Windows Vista SP2 and Server 2008 SP2 does not properly validate MS-CHAP v2 Protected Extensible Authentication Protocol (PEAP) authentication requests, which allows remote attackers to execute arbitrary code via crafted structures in a malformed request, aka "Internet Authentication Service Memory Corruption Vulnerability." | ||||||||
CVSS v3 Severity: | 10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
| ||||||||
CVSS v2 Severity: | 10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C) 7.4 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
7.4 High (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
| ||||||||
Vulnerability Type: | CWE-287 | ||||||||
Vulnerability Consequences: | Gain Access | ||||||||
References: | Source: MITRE Type: CNA CVE-2009-2505 Source: CCN Type: SA37579 Microsoft Windows Internet Authentication Service Vulnerability Source: CCN Type: SECTRACK ID: 1023291 Microsoft Internet Authentication Service Bugs Let Remote Authenticated Users Execute Arbitrary Code or Gain Privileges of the Target User Source: CCN Type: Microsoft Security Bulletin MS09-071 Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318) Source: CCN Type: BID-37197 Microsoft Protected Extensible Authentication Protocol Memory Corruption Vulnerability Source: SECTRACK Type: UNKNOWN 1023291 Source: CERT Type: US Government Resource TA09-342A Source: MS Type: UNKNOWN MS09-071 Source: XF Type: UNKNOWN ms-ias-code-execution(54438) Source: OVAL Type: UNKNOWN oval:org.mitre.oval:def:6063 | ||||||||
Vulnerable Configuration: | Configuration 1: Configuration CCN 1: Denotes that component is vulnerable | ||||||||
Oval Definitions | |||||||||
| |||||||||
BACK |