CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
97.4%
Microsoft Data Access Components (MDAC) contains a buffer overflow vulnerability that could allow a remote attacker to execute arbitrary code or cause a denial of service.
From Microsoft Security Bulletin MS04-003:
Microsoft Data Access Components (MDAC) is a collection of components that provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client.
MS04-003 notes that “…MDAC is a ubiquitous technology” that is installed as part of Windows 2000, Windows XP, and other Microsoft programs (e.g., Microsoft Access and Microsoft SQL Server).
An MDAC client sends a network broadcast to port 1434/udp to query for systems running Microsoft SQL Server. A buffer overflow vulnerability exists in an MDAC component that handles responses to such a query. The vulnerability could be triggered by a specially crafted response packet. An MDAC client is only vulnerable for some period of time after it issues a query.
A remote attacker could execute arbitrary code with the privileges of the process using MDAC. The attacker could also cause a denial of service.
Apply patch
Apply the appropriate patch referenced in Microsoft Security Bulletin MS04-003.
Block or Restrict Access
Block or restrict inbound access to port 1434/udp. Note that a firewall that performs stateful inspection may allow inbound responses after recording an outbound broadcast.
139150
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: January 19, 2004
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Please see Microsoft Security Bulletin MS04-003.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23139150 Feedback>).
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
Information used in this document came from Microsoft Security Bulletin MS04-003.
This document was written by Art Manion.
CVE IDs: | CVE-2003-0903 |
---|---|
Severity Metric: | 10.60 Date Public: |
msdn.microsoft.com/library/default.asp?url=/library/en-us/dnmdac/html/datechartoverview.asp
msdn.microsoft.com/library/default.asp?url=/library/en-us/dnmdac/html/technologyfeatures.asp
support.microsoft.com/default.aspx?kbid=231943
support.microsoft.com/default.aspx?kbid=301202
support.microsoft.com/default.aspx?kbid=813878
www.microsoft.com/technet/security/bulletin/ms04-003.asp
www.secunia.com/advisories/10616/
www.securityfocus.com/bid/9407