Vulnerability CVE-2010-3937

Vulnerability Name:

CVE-2010-3937 (CCN-63572)

Assigned:

2010-12-14

Published:

2010-12-14

Updated:

2020-04-09

Summary:

Microsoft Exchange Server 2007 SP2 on the x64 platform allows remote authenticated users to cause a denial of service (infinite loop and MSExchangeIS outage) via a crafted RPC request, aka "Exchange Server Infinite Loop Vulnerability."

CVSS v3 Severity:

2.6 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P)
3.0 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

3.5 Low (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P)
2.6 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-399

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2010-3937

Source: CCN
Type: SA42633
Microsoft Exchange Server RPC Denial of Service Vulnerability

Source: CCN
Type: SECTRACK ID: 1024888
Microsoft Exchange Server RPC Processing Flaw Lets Remote Authenticated Users Deny Service

Source: CCN
Type: Microsoft Security Bulletin MS10-106
Vulnerability in Microsoft Exchange Server Could Allow Denial of Service (2407132)

Source: BID
Type: Third Party Advisory, VDB Entry
45297

Source: CCN
Type: BID-45297
Microsoft Exchange Server 2007 Infinite Loop Remote Denial of Service Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1024888

Source: CERT
Type: Third Party Advisory, US Government Resource
TA10-348A

Source: MS
Type: Patch, Vendor Advisory
MS10-106

Source: XF
Type: UNKNOWN
exchange-rpc-dos(63572)

Source: OVAL
Type: Third Party Advisory
oval:org.mitre.oval:def:12019

Source: CCN
Type: ZDI-10-286
Microsoft Exchange 2007 Infinite Loop Denial of Service Vulnerability

Vulnerable Configuration:

Configuration 1:

cpe:/a:microsoft:exchange_server:2007:sp2:*:*:*:*:x64:*

Configuration CCN 1:

cpe:/a:microsoft:exchange_server:2007:sp2:x64:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:12019	V	Exchange Server Infinite Loop Vulnerability	2011-01-24

BACK