Executive Summary
Summary | |
---|---|
Title | Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957) |
Informations | |||
---|---|---|---|
Name | MS09-036 | First vendor Publication | 2009-08-11 |
Vendor | Microsoft | Last vendor Modification | 2009-08-13 |
Severity (Vendor) | Important | Revision | 1.1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:H/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 2.6 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | High |
Cvss Expoit Score | 4.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Revision Note: Clarified in Frequently Asked Questions (FAQ) Related to This Security Update that this security update will only be offered when IIS 7.0 is installed. Added information to the FAQ for Remote Unauthenticated Denial of Service in ASP.NET Vulnerability ? CVE-2009-1536 about the difference between Integrated Mode and Classic Mode in IIS 7.0. This is an informational change only. Customers who have successfully installed this update do not need to reinstall.Summary: This security update addresses a privately reported Denial of Service vulnerability in the Microsoft .NET Framework component of Microsoft Windows. This vulnerability can be exploited only when Internet Information Services (IIS) 7.0 is installed and ASP. |
Original Source
Url : http://www.microsoft.com/technet/security/bulletin/MS09-036.mspx |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:6393 | |||
Oval ID: | oval:org.mitre.oval:def:6393 | ||
Title: | Remote Unauthenticated Denial of Service in ASP.NET Vulnerability | ||
Description: | ASP.NET in Microsoft .NET Framework 2.0 SP1 and SP2 and 3.5 Gold and SP1, when ASP 2.0 is used in integrated mode on IIS 7.0, does not properly manage request scheduling, which allows remote attackers to cause a denial of service (daemon outage) via a series of crafted HTTP requests, aka "Remote Unauthenticated Denial of Service in ASP.NET Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2009-1536 | Version: | 3 |
Platform(s): | Microsoft Windows Vista Microsoft Windows Server 2008 | Product(s): | Microsoft .NET Framework |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 4 | |
Os | 1 | |
Os | 2 |
OpenVAS Exploits
Date | Description |
---|---|
2010-12-13 | Name : Microsoft Windows ASP.NET Denial of Service Vulnerability(970957) File : nvt/gb_ms09-036.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
56905 | Microsoft .NET Framework Request Scheduling Crafted HTTP Request Remote DoS .NET Framework contains a flaw that may allow a remote denial of service. The issue is triggered by the way ASP.NET scheduling is managed , and will result in loss of availability for the IIS service. |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2009-08-13 | IAVM : 2009-B-0036 - Microsoft ASP.NET Denial of Service Vulnerability Severity : Category I - VMSKEY : V0019878 |
Snort® IPS/IDS
Date | Description |
---|---|
2021-01-26 | Microsoft ASP.NET bad request denial of service attempt RuleID : 56804 - Revision : 1 - Type : SERVER-IIS |
2017-08-31 | Microsoft ASP.NET bad request denial of service attempt RuleID : 43808 - Revision : 1 - Type : SERVER-IIS |
2017-08-31 | Microsoft ASP.NET bad request denial of service attempt RuleID : 43807 - Revision : 1 - Type : SERVER-IIS |
2014-01-10 | Microsoft ASP.NET bad request denial of service attempt RuleID : 15851 - Revision : 11 - Type : SERVER-IIS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2009-08-11 | Name : The remote .Net Framework is susceptible to a denial of service attack. File : smb_nt_ms09-036.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2021-01-26 21:23:17 |
|
2014-02-17 11:46:17 |
|
2014-01-19 21:30:20 |
|
2013-11-11 12:41:12 |
|