Vulnerability CVE-2011-1229


Published: 2011-04-13   Modified: 2012-02-13

Description:
win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a crafted application that triggers a NULL pointer dereference, a different vulnerability than other "Vulnerability Type 2" CVEs listed in MS11-034, aka "Win32k Null Pointer De-reference Vulnerability."

Type:

CWE-Other

Vendor: Microsoft
Product: Windows server 2008 
Version: r2;
Product: Windows 2003 server 
Product: Windows vista 
Product: Windows server 2003 
Product: Windows xp 
Product: Windows 7 
Vendor: Avaya
Product: Aura conferencing standard edition 
Version: 6.0.0;
Product: Unified messenger (r) 
Product: Octeldesignertm 
Product: Interaction center 
Product: Computer telephony 
Product: Agent access 
Product: Visual vector client 
Product: Outbound contact management 
Product: Ip softphone 
Product: Customer interaction express 
Product: Basic call management system reporting desktop 
Product: Web messenger 
Product: Unified communication center 
Product: Octelaccess(r) server 
Product: Integrated management 
Product: Callvisor asai lan 
Product: Visual messenger tm 
Product: Operational analyst 
Product: Ip agent 
Product: Contact center express 
Product: Vpnmanagertm console 
Product: Speech access 
Product: Network reporting 
Product: Enterprise manager 
Product: Call management server supervisor 

CVSS2 => (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.2/10
10/10
3.9/10
Exploit range
Attack complexity
Authentication
Local
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete

 References:
http://blogs.technet.com/b/srd/archive/2011/04/12/ms11-034-addressing-vulnerabilities-in-the-win32k-subsystem.aspx
http://support.avaya.com/css/P8/documents/100133352
http://www.securityfocus.com/bid/47229
http://www.securitytracker.com/id?1025345
http://www.us-cert.gov/cas/techalerts/TA11-102A.html
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-034
https://exchange.xforce.ibmcloud.com/vulnerabilities/66411
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12503

Related CVE
CVE-2019-7003
A SQL injection vulnerability in the reporting component of Avaya Control Manager could allow an unauthenticated attacker to execute arbitrary SQL commands and retrieve sensitive data related to other users on the system. Affected versions of Avaya C...
CVE-2018-8812
An issue was discovered in Avaya one-X Portal for IP Office 9.1.2.0 and prior. The DownloadToLocalDriveServlet function from the AFA portal is only intended to download backup ZIP files from the server to the operator desktop; however, a malicious us...
CVE-2019-7006
Avaya one-X Communicator uses weak cryptographic algorithms in the client authentication component that could allow a local attacker to decrypt sensitive information. Affected versions include all 6.2.x versions prior to 6.2 SP13.
CVE-2018-15614
A vulnerability in the one-x Portal component of IP Office could allow an authenticated user to perform stored cross site scripting attacks via fields in the Conference Scheduler Service that could affect other application users. Affected versions of...
CVE-2018-15615
A vulnerability in the Supervisor component of Avaya Call Management System allows local administrative user to extract sensitive information from users connecting to a remote CMS host. Affected versions of CMS Supervisor include R17.0.x and R18.0.x.
CVE-2018-15613
A cross-site scripting (XSS) vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could result in malicious content being returned to the user. Affected versions of Avaya Aura Orchestration Designer include all versions ...
CVE-2018-15612
A CSRF vulnerability in the Runtime Config component of Avaya Aura Orchestration Designer could allow an attacker to add, change, or remove administrative settings. Affected versions of Avaya Aura Orchestration Designer include all versions up to 7.2...
CVE-2018-15610
A vulnerability in the one-X Portal component of Avaya IP Office allows an authenticated attacker to read and delete arbitrary files on the system. Affected versions of Avaya IP Office include 9.1 through 9.1 SP12, 10.0 through 10.0 SP7, and 10.1 thr...

Copyright 2019, cxsecurity.com

 

Back to Top