CVE-2017-0171 — Improper Input Validation in Corporation Windows DNS Server

CWE-20 — Improper Input Validation5 documents5 sources

Severity

5.9MEDIUMNVD

EPSS

21.5%

top 4.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Corporation Windows DNS Server Microsoft Windows Server 2008 Microsoft Windows Server 2012 +6 more

Timeline

PublishedMay 12

Latest updateMay 17

Description

Windows DNS Server allows a denial of service vulnerability when Microsoft Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 Gold and R2, and Windows Server 2016 are configured to answer version queries, aka "Windows DNS Server Denial of Service Vulnerability".

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages8 packages

▶msrcmsrc/windows_server_2008_for_32-bit_systems_service_pack_2

▶msrcmsrc/windows_server_2008_for_x64-based_systems_service_pack_2

▶msrcmsrc/windows_server_2008_r2_for_x64-based_systems_service_pack_1

▶msrcmsrc/windows_server_2012

▶msrcmsrc/windows_server_2016

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-rj85-q8wm-7qhg: Windows DNS Server allows a denial of service vulnerability when Microsoft Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 Gold and R2, and Wi↗2022-05-17

▶

📋Vendor Advisories

Microsoft

Windows DNS Server Denial of Service Vulnerability↗2017-05-09

▶

🕵️Threat Intelligence

Talos

Microsoft Patch Tuesday - May 2017↗2017-05-10

▶