Vulnerabilities > CVE-2011-1968 - Resource Management Errors vulnerability in Microsoft products

047910
CVSS 7.1 - HIGH
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
microsoft
CWE-399
nessus

Summary

The Remote Desktop Protocol (RDP) implementation in Microsoft Windows XP SP2 and SP3 and Windows Server 2003 SP2 does not properly process packets in memory, which allows remote attackers to cause a denial of service (reboot) by sending crafted RDP packets triggering access to an object that (1) was not properly initialized or (2) is deleted, as exploited in the wild in 2011, aka "Remote Desktop Protocol Vulnerability."

Common Weakness Enumeration (CWE)

Msbulletin

bulletin_idMS11-065
bulletin_url
date2011-08-09T00:00:00
impactDenial of Service
knowledgebase_id2570222
knowledgebase_url
severityImportant
titleVulnerability in Remote Desktop Protocol Could Allow Denial of Service

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS11-065.NASL
descriptionA denial of service vulnerability exists in the implementation of the Remote Desktop Protocol (RDP) on the remote Windows host due to the way it accesses an object in memory that has been improperly initialized or has been deleted. If RDP has been enabled on the affected system, an unauthenticated, remote attacker could leverage this vulnerability to cause the system to stop responding and automatically reboot by sending a sequence of specially crafted RDP packets to it. Note that the Remote Desktop Protocol is not enabled by default.
last seen2020-06-01
modified2020-06-02
plugin id55795
published2011-08-09
reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/55795
titleMS11-065: Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (2570222)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(55795);
  script_version("1.12");
  script_cvs_date("Date: 2018/11/15 20:50:31");

  script_cve_id("CVE-2011-1968");
  script_bugtraq_id(48995);
  script_xref(name:"MSFT", value:"MS11-065");
  script_xref(name:"MSKB", value:"2570222");

  script_name(english:"MS11-065: Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (2570222)");
  script_summary(english:"Checks version of Rdpwd.sys");

  script_set_attribute(
    attribute:"synopsis",
    value:"The remote Windows host is susceptible to a denial of service attack."
  );
  script_set_attribute(
    attribute:"description",
    value:
"A denial of service vulnerability exists in the implementation of the
Remote Desktop Protocol (RDP) on the remote Windows host due to the way
it accesses an object in memory that has been improperly initialized or
has been deleted.

If RDP has been enabled on the affected system, an unauthenticated,
remote attacker could leverage this vulnerability to cause the system to
stop responding and automatically reboot by sending a sequence of
specially crafted RDP packets to it.

Note that the Remote Desktop Protocol is not enabled by default."
  );
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-065");
  script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows XP and 2003.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/08/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/08/09");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:remote_desktop_protocol");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}


include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");


get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS11-065';
kb = "2570222";

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(xp:'3', win2003:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows 2003 / XP 64-bit
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Rdpwd.sys", version:"5.2.3790.4881", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||

  # Windows XP 32-bit
  hotfix_is_vulnerable(os:"5.1", sp:3, file:"Rdpwd.sys", version:"5.1.2600.6128", dir:"\system32\drivers", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2011-09-26T04:00:14.153-04:00
classvulnerability
contributors
nameJosh Turpin
organizationSymantec Corporation
definition_extensions
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
    ovaloval:org.mitre.oval:def:2161
  • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
    ovaloval:org.mitre.oval:def:1442
descriptionThe Remote Desktop Protocol (RDP) implementation in Microsoft Windows XP SP2 and SP3 and Windows Server 2003 SP2 does not properly process packets in memory, which allows remote attackers to cause a denial of service (reboot) by sending crafted RDP packets triggering access to an object that (1) was not properly initialized or (2) is deleted, as exploited in the wild in 2011, aka "Remote Desktop Protocol Vulnerability."
familywindows
idoval:org.mitre.oval:def:12806
statusaccepted
submitted2011-08-09T13:00:00
titleRemote Desktop Protocol Vulnerability
version42

Seebug

bulletinFamilyexploit
descriptionBugtraq ID: 48995 CVE ID:CVE-2011-1968 Microsoft Windows是一款流行的操作系统。 当处理特制的RDP报文时,远程桌面服务存在安全漏洞,攻击者发送特制的RDP报文序列可使系统重新启动。 要成功利用漏洞需要远程桌面管理启用(默认不启用) Microsoft Windows XP Service Pack 3 0 Microsoft Windows XP Professional x64 Edition SP2 Microsoft Windows XP Professional x64 Edition Microsoft Windows XP Professional SP3 Microsoft Windows XP Professional SP2 Microsoft Windows XP Professional SP1 Microsoft Windows XP Professional Microsoft Windows XP Home SP3 Microsoft Windows XP Home SP2 Microsoft Windows XP Home SP1 Microsoft Windows XP Home Microsoft Windows XP 64-bit Edition SP1 Microsoft Windows XP 64-bit Edition Microsoft Windows Server 2003 x64 SP2 Microsoft Windows Server 2003 x64 SP1 Microsoft Windows Server 2003 Itanium SP2 Microsoft Windows Server 2003 Itanium SP1 Microsoft Windows Server 2003 Itanium 厂商解决方案 用户可参考如下供应商提供的安全公告获得补丁信息: http://www.microsoft.com/technet/security/Bulletin/MS11-065.mspx
idSSV:20832
last seen2017-11-19
modified2011-08-10
published2011-08-10
reporterRoot
titleMicrosoft Windows 远程桌面协议CVE-2011-1968拒绝服务漏洞