Microsoft IIS FTP server 7.5 is affected by a pre-authentication memory corruption vulnerability.
A specifically crafted request sent to the IIS FTP service can result in memory corruption causing the service to crash. A denial-of-service exploit has been released to the public. IIS 7.5.7600.16385 on Windows 7 is reported to be affected. Other versions may also be affected. Additional details are available on Microsoft's Security Research & Defense blog.
An attacker can cause a denial of service. Depending on the specifics of the vulnerability, an attacker could potentially execute arbitrary code.
We are currently unaware of a practical solution to this problem.
Appropriate firewall rules should be implemented to restrict access to trusted sources. Customers of IPS vendors should request updated signatures for this vulnerability and block related traffic.
This vulnerability was reported to the public by Matthew Bergin via Exploit-DB.
This document was written by Jared Allar.
|Date First Published:||2010-12-22|
|Date Last Updated:||2010-12-23 15:22 UTC|