CVE-2008-4114 Details

CVE-2008-4114

Published: 2008-09-16
Last Modified: 2019-02-26
CVE Author: NIST National Vulnerability Database
CVE Assigner: cve@mitre.org
Summary

srv.sys in the Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via an SMB WRITE_ANDX packet with an offset that is inconsistent with the packet size, related to "insufficiently validating the buffer size," as demonstrated by a request to the \PIPE\lsarpc named pipe, aka "SMB Validation Denial of Service Vulnerability."

Analysis
Common Vulnerability Score System v2.0
Severity High
Base Score 7.1/10
Exploit Score 8.6/10
Access Vector Network
Access Complexity Medium
Authentication None
Impact Score 6.9/10
Confidentiality Impact None
Availability Impact Complete
Integrity Impact None
Vector String AV:N/AC:M/Au:N/C:N/I:N/A:C
Common Vulnerability Score System v3.1

NIST has not assigned a CVSSv3.1 Score.

Products Reported
CPE Vulnerable Start Excluding
cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:* Yes - -
cpe:2.3:o:microsoft:windows_server_2003:*:*:*:*:*:*:*:* Yes - -
cpe:2.3:o:microsoft:windows_server_2003:*:sp1:*:*:*:*:*:* Yes - -
cpe:2.3:o:microsoft:windows_server_2003:*:sp1:itanium:*:*:*:*:* Yes - -
cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:* Yes - -
cpe:2.3:o:microsoft:windows_server_2008:*:*:itanium:*:*:*:*:* Yes - -
cpe:2.3:o:microsoft:windows_server_2008:*:*:x32:*:*:*:*:* Yes - -
cpe:2.3:o:microsoft:windows_server_2008:*:*:x64:*:*:*:*:* Yes - -
cpe:2.3:o:microsoft:windows_vista:*:gold:x64:*:*:*:*:* Yes - -
cpe:2.3:o:microsoft:windows_vista:*:sp1:x64:*:*:*:*:* Yes - -
cpe:2.3:o:microsoft:windows_vista:gold:*:*:*:*:*:*:* Yes - -
cpe:2.3:o:microsoft:windows_vista:sp1:*:*:*:*:*:*:* Yes - -
cpe:2.3:o:microsoft:windows_xp:*:*:pro_x64:*:*:*:*:* Yes - -
cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:* Yes - -
cpe:2.3:o:microsoft:windows_xp:*:sp2:pro_x64:*:*:*:*:* Yes - -
cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:* Yes - -
References

http://secunia.com/advisories/31883
http://www.reversemode.com/index.php?option=com_content&task=view&id=54&Itemid=1
http://www.securityfocus.com/archive/1/496354/100/0/threaded
http://www.securityfocus.com/bid/31179
http://www.securitytracker.com/id?1020887
http://www.us-cert.gov/cas/techalerts/TA09-013A.html
http://www.vallejo.cc/proyectos/vista_SMB_write_DoS.htm
http://www.vupen.com/english/advisories/2008/2583
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-001
https://exchange.xforce.ibmcloud.com/vulnerabilities/45146
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5262
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6044
https://www.exploit-db.com/exploits/6463

CVE ID
CVE-2008-4114
Published
2008-09-16
Modified
2019-02-26
CVSSv2.0
High
PCI Compliance
Fail
US-CERT Alert
No
CWE
CWE-399

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities.