| VID |
22255 |
| Severity |
40 |
| Port |
443,636 |
| Protocol |
TCP |
| Class |
SSL |
| Detailed Description |
A version of Microsoft SSL library which is vulnerable has been detected as running on the host. The Microsoft Secure Sockets Layer (SSL) library has multiple vulnerabilities as follows:
1. A denial of service vulnerability exists in the way that the Microsoft SSL library handles malformed SSL messages.
2. A buffer overflow vulnerability exists in the Private Communications Transport (PCT) protocol of the Secure Sockets Layer (SSL) library. PCT is a legacy protocol and is no longer commonly used.
If SSL is enabled, a remote attacker could send a specially-crafted TCP message to the vulnerable system, to overflow a buffer and cause a denial of service. It also may be possible for the attacker to use this vulnerability to execute arbitrary code on the system.
* References:
http://xforce.iss.net/xforce/alerts/id/168
* Platforms Affected:
Any Microsoft service which utilizes SSL
Microsoft Exchange 5.5, 2000, 2003
Microsoft IIS Any version
Microsoft Windows 2000, XP
Microsoft Windows Server 2003 |
| Recommendation |
Apply the security update, as listed in the Microsoft Security Bulletin MS04-011 at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx |
| Related URL |
CVE-2004-0120 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
15712,12380 (ISS) |
|
