Vulnerability CVE-2011-0654 - CERT Civis.Net

Vulnerability Name:

CVE-2011-0654 (CCN-65376)

Assigned:

2011-02-14

Published:

2011-02-14

Updated:

2019-02-26

Summary:

Integer underflow in the BowserWriteErrorLogEntry function in the Common Internet File System (CIFS) browser service in Mrxsmb.sys or bowser.sys in Active Directory in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code or cause a denial of service (system crash) via a malformed BROWSER ELECTION message, leading to a heap-based buffer overflow, aka "Browser Pool Corruption Vulnerability."
Note: some of these details are obtained from third party information.

CVSS v3 Severity:

10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
7.4 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
7.4 High (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:UR)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: FULLDISC
Type: UNKNOWN
20110214 MS Windows Server 2003 AD Pre-Auth BROWSER ELECTION Remote Heap Overflow

Source: CONFIRM
Type: UNKNOWN
http://blogs.technet.com/b/mmpc/archive/2011/02/16/my-sweet-valentine-the-cifs-browser-protocol-heap-corruption-vulnerability.aspx

Source: CCN
Type: The Microsoft Security Response Center (MSRC)
Notes on exploitability of the recent Windows BROWSER protocol issue

Source: CONFIRM
Type: UNKNOWN
http://blogs.technet.com/b/srd/archive/2011/02/16/notes-on-exploitability-of-the-recent-windows-browser-protocol-issue.aspx

Source: MITRE
Type: CNA
CVE-2011-0654

Source: CCN
Type: SA43299
Microsoft Windows SMB Browser Election Request Parsing Vulnerability

Source: SECUNIA
Type: Vendor Advisory
43299

Source: EXPLOIT-DB
Type: Exploit
16166

Source: CCN
Type: US-CERT VU#323172
Microsoft Windows browser election message kernel pool overflow

Source: CERT-VN
Type: US Government Resource
VU#323172

Source: CCN
Type: Microsoft Security Bulletin MS11-019
Vulnerabilities in SMB Client Could Allow Remote Code Execution (2511455)

Source: CCN
Type: Microsoft Security Bulletin MS11-043
Vulnerability in SMB Client Could Allow Remote Code Execution (2536276)

Source: CCN
Type: OSVDB ID: 70881
Microsoft Windows SMB Browser Election Request Server Name String Overflow

Source: BID
Type: Exploit
46360

Source: CCN
Type: BID-46360
Microsoft Windows 'BROWSER ELECTION' Buffer Overflow Vulnerability

Source: SECTRACK
Type: UNKNOWN
1025328

Source: CERT
Type: US Government Resource
TA11-102A

Source: VUPEN
Type: Vendor Advisory
ADV-2011-0394

Source: VUPEN
Type: Vendor Advisory
ADV-2011-0938

Source: MS
Type: UNKNOWN
MS11-019

Source: XF
Type: UNKNOWN
ms-win-server-browser-bo(65376)

Source: XF
Type: UNKNOWN
ms-win-server-browser-bo(65376)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:12637

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [02-14-2011]

Vulnerable Configuration:

Configuration 1:

cpe:/o:microsoft:windows_2003_server:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:*:r2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:*:r2:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_2003_server:*:sp2:itanium:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2003:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*

Configuration CCN 1:

cpe:/o:microsoft:windows:server_2003:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:itanium:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp::sp2:x64:*:professional:*:*:*

OR cpe:/o:microsoft:windows_vista:-:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:-:sp1:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:itanium:*

OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x32:*

OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x64:*

OR cpe:/o:microsoft:windows:xp:sp3:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:-:sp2:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x32:*

OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x64:*

OR cpe:/o:microsoft:windows_7:-:-:*:*:ultimate_n:*:x64:*

OR cpe:/o:microsoft:windows_7:-:*:*:*:*:*:x32:*

OR cpe:/o:microsoft:windows_server_2008:r2:*:*:*:*:*:x64:*

OR cpe:/o:microsoft:windows_server_2008:r2:*:*:*:*:*:itanium:*

OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:itanium:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:12637	V	Browser Pool Corruption Vulnerability	2014-03-03