SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Directory)  >   Microsoft Active Directory Vendors:   Microsoft
Microsoft Active Directory Bugs Let Remote Users Execute Arbitrary Code or Deny Service
SecurityTracker Alert ID:  1022349
SecurityTracker URL:  http://securitytracker.com/id/1022349
CVE Reference:   CVE-2009-1138, CVE-2009-1139   (Links to External Site)
Date:  Jun 9 2009
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Two vulnerabilities were reported in Microsoft Active Directory. A remote user can execute arbitrary code on the target system. A remote user can cause denial of service conditions.

A remote user can send specially crafted LDAP or LDAPS data to trigger a memory free error and execute arbitrary code on the target system [CVE-2009-1138]. The code will run with the privileges of the target service. Windows 2000 Server is affected. Joshua J. Drake of VeriSign iDefense Labs reported this vulnerability.

A remote user can send specially crafted LDAP or LDAPS data to trigger a memory leak and cause the target service to stop responding [CVE-2009-1139]. Windows 2000 Server and Windows Server 2003 are affected. Active Directory Application Mode (ADAM) installed on Windows XP Professional and Windows Server 2003 is also affected. Justin Wyatt from the Beaverton School District reported this vulnerability.

Impact:   A remote user can execute arbitrary code on the target system.

A remote user can cause the target service to stop responding.

Solution:   The vendor has issued the following fixes:

Microsoft Windows 2000 Server Service Pack 4, Active Directory:

http://www.microsoft.com/downloads/details.aspx?familyid=bba6e20a-0345-46ae-a6f1-fd27fdee7c21

Windows XP Professional Service Pack 2 and Windows XP Professional Service Pack 3, Active Directory Application Mode (ADAM):

http://www.microsoft.com/downloads/details.aspx?familyid=cb2c9b76-0c65-4754-9941-d45a7c74a29a

Windows XP Professional x64 Edition Service Pack 2, Active Directory Application Mode (ADAM):

http://www.microsoft.com/downloads/details.aspx?familyid=2ef3aaf0-a2a9-4c17-99ab-a0dc3d3f7e86

Windows Server 2003 Service Pack 2, Active Directory:

http://www.microsoft.com/downloads/details.aspx?familyid=d814ce65-a193-4027-a6cd-106d388830a6

Windows Server 2003 Service Pack 2, Active Directory Application Mode (ADAM):

http://www.microsoft.com/downloads/details.aspx?familyid=f6f99957-f74f-4446-8734-a468283eebae

Windows Server 2003 x64 Edition Service Pack 2, Active Directory:

http://www.microsoft.com/downloads/details.aspx?familyid=0d1f23c8-06eb-4996-92eb-0eb635fd6a42

Windows Server 2003 x64 Edition Service Pack 2, Active Directory Application Mode (ADAM):

http://www.microsoft.com/downloads/details.aspx?familyid=1a2badc7-c0a5-4032-a009-73ebe9d76313

Windows Server 2003 with SP2 for Itanium-based Systems, Active Directory:

http://www.microsoft.com/downloads/details.aspx?familyid=92e7808b-92ff-449d-bb73-ee8638e9ccd1

A restart is required.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms09-018.mspx

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms09-018.mspx (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC