CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
EPSS
Percentile
99.6%
A denial of service vulnerability exists in the implementation of the Remote Desktop Protocol (RDP) on the remote Windows host due to the way it accesses an object in memory that has been improperly initialized or has been deleted.
If RDP has been enabled on the affected system, an unauthenticated, remote attacker could leverage this vulnerability to cause the system to stop responding and automatically reboot by sending a sequence of specially crafted RDP packets to it.
Note that the Remote Desktop Protocol is not enabled by default.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(55795);
script_version("1.12");
script_cvs_date("Date: 2018/11/15 20:50:31");
script_cve_id("CVE-2011-1968");
script_bugtraq_id(48995);
script_xref(name:"MSFT", value:"MS11-065");
script_xref(name:"MSKB", value:"2570222");
script_name(english:"MS11-065: Vulnerability in Remote Desktop Protocol Could Allow Denial of Service (2570222)");
script_summary(english:"Checks version of Rdpwd.sys");
script_set_attribute(
attribute:"synopsis",
value:"The remote Windows host is susceptible to a denial of service attack."
);
script_set_attribute(
attribute:"description",
value:
"A denial of service vulnerability exists in the implementation of the
Remote Desktop Protocol (RDP) on the remote Windows host due to the way
it accesses an object in memory that has been improperly initialized or
has been deleted.
If RDP has been enabled on the affected system, an unauthenticated,
remote attacker could leverage this vulnerability to cause the system to
stop responding and automatically reboot by sending a sequence of
specially crafted RDP packets to it.
Note that the Remote Desktop Protocol is not enabled by default."
);
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-065");
script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows XP and 2003.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2011/08/09");
script_set_attribute(attribute:"patch_publication_date", value:"2011/08/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2011/08/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:remote_desktop_protocol");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, 'Host/patch_management_checks');
exit(0);
}
include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS11-065';
kb = "2570222";
kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
if (hotfix_check_sp_range(xp:'3', win2003:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");
share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
if (
# Windows 2003 / XP 64-bit
hotfix_is_vulnerable(os:"5.2", sp:2, file:"Rdpwd.sys", version:"5.2.3790.4881", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
# Windows XP 32-bit
hotfix_is_vulnerable(os:"5.1", sp:3, file:"Rdpwd.sys", version:"5.1.2600.6128", dir:"\system32\drivers", bulletin:bulletin, kb:kb)
)
{
set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}