CVE-2011-1889
published 2011-06-16CVE-2011-1889: The NSPLookupServiceNext function in the client in Microsoft Forefront Threat Management Gateway (TMG) 2010 allows remote attackers to execute arbitrary code…
PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
48.37%
98.7th percentile
The NSPLookupServiceNext function in the client in Microsoft Forefront Threat Management Gateway (TMG) 2010 allows remote attackers to execute arbitrary code via vectors involving unspecified requests, aka "TMG Firewall Client Memory Corruption Vulnerability."
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | forefront_threat_management_gateway | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered via the NSPLookupServiceNext function in the Microsoft Forefront TMG Firewall Client Winsock provider; monitor for anomalous calls or crashes in this function on TMG client systems ↗
- →Code execution occurs in the security context of the client application using the TMG Firewall Client Winsock provider; monitor for unexpected child processes or code injection from applications using the TMG Winsock provider ↗
- ·The attack vectors are described as 'unspecified requests', meaning the exact network-level trigger is not publicly documented, limiting precise network-based detection rule creation ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v7xg-xv38-f34w: The NSPLookupServiceNext function in the client in Microsoft Forefront Threat Management Gateway (TMG) 2010 allows remote attackers to execute arbitra
ghsa_unreviewed·2022-05-14
CVE-2011-1889 [HIGH] CWE-119 GHSA-v7xg-xv38-f34w: The NSPLookupServiceNext function in the client in Microsoft Forefront Threat Management Gateway (TMG) 2010 allows remote attackers to execute arbitra
The NSPLookupServiceNext function in the client in Microsoft Forefront Threat Management Gateway (TMG) 2010 allows remote attackers to execute arbitrary code via vectors involving unspecified requests, aka "TMG Firewall Client Memory Corruption Vulnerability."
VulnCheck
Microsoft Forefront TMG Remote Code Execution Vulnerability
vulncheck·2011·CVSS 9.8
CVE-2011-1889 [CRITICAL] CWE-119 Microsoft Forefront TMG Remote Code Execution Vulnerability
Microsoft Forefront TMG Remote Code Execution Vulnerability
A remote code execution vulnerability exists in the Forefront Threat Management Gateway (TMG) Firewall Client Winsock provider that could allow code execution in the security context of the client application.
Affected: Microsoft Forefront Threat Management Gateway (TMG)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-03-24
CISA
Microsoft Forefront TMG Remote Code Execution Vulnerability
cisa·2022-03-03·CVSS 9.8
CVE-2011-1889 [CRITICAL] CWE-119 Microsoft Forefront TMG Remote Code Execution Vulnerability
Vulnerability: Microsoft Forefront TMG Remote Code Execution Vulnerability
Affected: Microsoft Forefront Threat Management Gateway (TMG)
A remote code execution vulnerability exists in the Forefront Threat Management Gateway (TMG) Firewall Client Winsock provider that could allow code execution in the security context of the client application.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2011-1889
Remediation Due Date: 2022-03-24
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://secunia.com/advisories/44857http://www.securityfocus.com/bid/48181http://www.securitytracker.com/id?1025637https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-040https://exchange.xforce.ibmcloud.com/vulnerabilities/67736https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12642http://secunia.com/advisories/44857http://www.securityfocus.com/bid/48181http://www.securitytracker.com/id?1025637https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-040https://exchange.xforce.ibmcloud.com/vulnerabilities/67736https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12642https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2011-1889
2011-06-16
Published
2022-03-03
Added to CISA KEV
Exploited in the wild