Overview
Microsoft IIS FTP server 7.5 is affected by a pre-authentication memory corruption vulnerability.
Description
A specifically crafted request sent to the IIS FTP service can result in memory corruption causing the service to crash. A denial-of-service exploit has been released to the public. IIS 7.5.7600.16385 on Windows 7 is reported to be affected. Other versions may also be affected. Additional details are available on Microsoft's Security Research & Defense blog. |
Impact
An attacker can cause a denial of service. Depending on the specifics of the vulnerability, an attacker could potentially execute arbitrary code. |
Solution
We are currently unaware of a practical solution to this problem. |
Restrict Access Appropriate firewall rules should be implemented to restrict access to trusted sources. Customers of IPS vendors should request updated signatures for this vulnerability and block related traffic. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerability was reported to the public by Matthew Bergin via Exploit-DB.
This document was written by Jared Allar.
Other Information
| CVE IDs: | None |
| Severity Metric: | 1.77 |
| Date Public: | 2010-12-21 |
| Date First Published: | 2010-12-22 |
| Date Last Updated: | 2010-12-23 15:22 UTC |
| Document Revision: | 11 |