CVE-2011-2014 — Improper Authentication in Microsoft Windows Server 2008

CWE-287 — Improper Authentication CWE-299 — Improper Check for Certificate Revocation15 documents8 sources

Severity

9.0CRITICALNVD

OSV7.5OSV5.9

EPSS

9.5%

top 7.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Busybox Redhat Libvirt Microsoft Windows Server 2008

Timeline

PublishedNov 8

Latest updateMay 13

Description

The LDAP over SSL (aka LDAPS) implementation in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS) in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not examine Certificate Revocation Lists (CRLs), which allows remote authenticated users to bypass intended certificate restrictions and access Active Directory resources by leve…

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 8.0 | Impact: 10.0

Affected Packages3 packages

▶NVDmicrosoft/windowsr2

▶Ubunturedhat/libvirt< 1.2.2-0ubuntu13.1.16

▶Ubuntubusybox/busybox< 1:1.21.0-1ubuntu1.4+2

🔴Vulnerability Details

GHSA

GHSA-qm9j-69fp-v8p4: The LDAP over SSL (aka LDAPS) implementation in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory↗2022-05-13

▶

OSV

busybox vulnerabilities↗2019-04-03

▶

OSV

libvirt vulnerabilities↗2016-01-12

▶

💥Exploits & PoCs

Exploit-DB

Ubisoft Rayman Legends 1.2.103716 - Remote Stack Buffer Overflow (PoC)↗2014-06-18

▶

Exploit-DB

PCMan FTP Server 2.07 - 'ABOR' Remote Buffer Overflow↗2014-01-29

▶

Exploit-DB

Apache - Denial of Service↗2011-12-09

▶

Exploit-DB

Apache - Remote Memory Exhaustion (Denial of Service)↗2011-08-19

▶

📋Vendor Advisories

Red Hat

nginx: SMTP STARTTLS plaintext injection flaw↗2014-08-05

▶

📐Framework References

CWE

Improper Check for Certificate Revocation↗

▶

📄Research Papers

CTF

hashes / README↗2014

▶

💬Community

Bugzilla

gcc: resource consumption issue in libstdc++ C++ regex library↗2014-08-05

▶

Bugzilla

gcc: memory corruption issues in libstdc++ C++ regex library↗2014-08-05

▶

Bugzilla

CVE-2014-4978 rawstudio: Insecure use of temporary file↗2014-07-16

▶

Bugzilla

CVE-2014-0104 fence-agents: no verification of remote SSL certificates↗2014-02-28

▶