Vulnerability CVE-2008-3009


Published: 2008-12-10   Modified: 2012-02-12

Description:
Microsoft Windows Media Player 6.4, Windows Media Format Runtime 7.1 through 11, and Windows Media Services 4.1, 9, and 2008 do not properly use the Service Principal Name (SPN) identifier when validating replies to authentication requests, which allows remote servers to execute arbitrary code via vectors that employ NTLM credential reflection, aka "SPN Vulnerability."

Type:

CWE-255

(Credentials Management)

CVSS2 => (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
10/10
10/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete
Affected software
Microsoft -> Windows media format runtime 
Microsoft -> Windows media player 
Microsoft -> Windows media services 

 References:
http://www.securityfocus.com/bid/32653
http://www.securitytracker.com/id?1021372
http://www.securitytracker.com/id?1021373
http://www.us-cert.gov/cas/techalerts/TA08-344A.html
http://www.vupen.com/english/advisories/2008/3388
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-076
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5942

Copyright 2022, cxsecurity.com

 

Back to Top