search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Microsoft Windows Active Directory fails to properly validate client sent LDAP requests

Vulnerability Note VU#348953

Original Release Date: 2007-07-11 | Last Revised: 2007-07-11

Overview

Microsoft Windows Active Directory fails to properly validate client-sent LDAP requests and may result in a denial of service condition.

Description

Microsoft Windows Active Directory contains a vulnerability in the way that the LDAP service validates the number of convertible attributes in the client-sent request. By sending a specially crafted LDAP request to a server running Active Directory, an attacker may be able to cause the server to stop responding.

Impact

A remote attacker may be able to cause a denial of service condition.

Solution

Apply an Update

Microsoft has released updates in Microsoft Security Bulletin MS07-039 to address this issue.

Workaround


Microsoft suggests blocking port 389/tcp and port 3268/tcp at the firewall to prevent exploitation of this vulnerability. Please see Microsoft Security Bulletin MS07-039 for further information.

Vendor Information

348953
 
Expand all

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

http://www.microsoft.com/technet/security/bulletin/ms07-039.mspx

Acknowledgements

This vulnerability was reported in Microsoft Security Bulletin MS07-039. Microsoft credits Peter Winter-Smith of NGSSoftware for reporting the vulnerability to them.

This document was written by Katie Steiner.

Other Information

CVE IDs: CVE-2007-3028
Severity Metric: 0.39
Date Public: 2007-07-10
Date First Published: 2007-07-11
Date Last Updated: 2007-07-11 20:13 UTC
Document Revision: 8

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis