search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft CIS and RPC over HTTP Proxy components fail to properly handle responses

Vulnerability Note VU#698564

Original Release Date: 2004-04-14 | Last Revised: 2004-04-14

Overview

A vulnerability in a Microsoft HTTP Proxy component may lead to a denial of service.

Description

Microsoft's COM Internet Sevices (CIS) and Remote Procedure Call (RPC) over HTTP Proxy contain a vulnerability that could permit an attacker to cause a denial of service. When a forwarded request is passed over either of these components to the backend system, an attacker may be able to reply to the request with a specially crafted response. This could cause the vulnerable components to stop accepting future requests. This vulnerability affects the following systems:

    • Windows NT Server 4.0
    • Windows NT Server 4.0, Terminal Server Edition
    • Windows 2000
    • Windows Server 2003

Impact

A remote attacker may be able to stop the vulnerable component from accepting messages. This would lead to a denial of service.

Solution

Apply a patch from the vendor
Microsoft Security Bulletin MS04-012 contains patch information to resolve this issue.

Vendor Information

698564
 

Microsoft Corporation Affected

Updated:  April 13, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Microsoft Security Bulletin MS04-012 contains information regarding this issue.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The Microsoft Security Bulletin thanks Qualys for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

CVE IDs: CVE-2003-0807
Severity Metric: 5.32
Date Public: 2004-04-13
Date First Published: 2004-04-14
Date Last Updated: 2004-04-14 00:36 UTC
Document Revision: 9

Sponsored by CISA.