CVE-2009-2505

2009-12-0918:30:00

CWE-287

[email protected]

web.nvd.nist.gov

cve-2009-2505

internet authentication service

ias

microsoft

windows vista

server 2008

sp2

ms-chap v2

peap

remote code execution

memory corruption

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

7.6 High

AI Score

Confidence

Low

0.242 Low

EPSS

Percentile

96.6%

JSON

The Internet Authentication Service (IAS) in Microsoft Windows Vista SP2 and Server 2008 SP2 does not properly validate MS-CHAP v2 Protected Extensible Authentication Protocol (PEAP) authentication requests, which allows remote attackers to execute arbitrary code via crafted structures in a malformed request, aka “Internet Authentication Service Memory Corruption Vulnerability.”

Affected configurations

NVD

Node

microsoftwindows_server_2008sp2itanium

microsoftwindows_server_2008Matchsp2x32

microsoftwindows_server_2008Matchsp2x64

microsoftwindows_vistasp2

CPENameOperatorVersion
microsoft:windows_server_2008microsoft windows server 2008eq*
microsoft:windows_server_2008microsoft windows server 2008eqsp2
microsoft:windows_vistamicrosoft windows vistaeq*

CPE	Name	Operator	Version
microsoft:windows_server_2008	microsoft windows server 2008	eq	*
microsoft:windows_server_2008	microsoft windows server 2008	eq	sp2
microsoft:windows_vista	microsoft windows vista	eq	*