CVE-1999-1537
CVSS5.0
发布时间 :1999-07-07 00:00:00
修订时间 :2016-10-17 22:05:40
NMCOS    

[原文]IIS 3.x and 4.x does not distinguish between pages requiring encryption and those that do not, which allows remote attackers to cause a denial of service (resource exhaustion) via SSL requests to the HTTPS port for normally unencrypted files, which will cause IIS to perform extra work to send the files over SSL.


[CNNVD]NT IIS SSL DoS漏洞(CNNVD-199907-011)

        IIS 3.x及4.x版本存在漏洞。IIS 3.x及4.x版本不能区分需要加密术的页面和不需要的页面,远程攻击者借助一般不加密文件HPPTS端口的SSL请求导致服务拒绝(资源耗尽),该漏洞导致IIS执行额外工作来发送SSL之上的文件。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:internet_information_server:4.0Microsoft IIS 4.0
cpe:/a:microsoft:internet_information_server:3.0Microsoft IIS 3.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1537
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1537
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199907-011
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=ntbugtraq&m=93138827329577&w=2
(UNKNOWN)  NTBUGTRAQ  19990707 SSL and IIS.
http://www.securityfocus.com/bid/521
(VENDOR_ADVISORY)  BID  521
http://xforce.iss.net/static/2352.php
(VENDOR_ADVISORY)  XF  ssl-iis-dos(2352)

- 漏洞信息

NT IIS SSL DoS漏洞
中危 设计错误
1999-07-07 00:00:00 2005-05-13 00:00:00
远程※本地  
        IIS 3.x及4.x版本存在漏洞。IIS 3.x及4.x版本不能区分需要加密术的页面和不需要的页面,远程攻击者借助一般不加密文件HPPTS端口的SSL请求导致服务拒绝(资源耗尽),该漏洞导致IIS执行额外工作来发送SSL之上的文件。

- 公告与补丁

        Microsoft has been notified and has passed the information to the IIS Security and IIS Development teams.

- 漏洞信息

13558
Microsoft IIS SSL Request Resource Exhaustion DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

1999-07-07 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

NT IIS SSL DoS Vulnerability
Design Error 521
Yes Yes
1999-07-07 12:00:00 2009-07-11 12:56:00
Posted to NTbugtraq July 7, 1999 by Heather.Field (Exchange) <Heather.Field@DHCMAIL.COM>.

- 受影响的程序版本

Microsoft IIS 4.0
+ Cisco Building Broadband Service Manager (BBSM) 5.0
+ Cisco Building Broadband Service Manager (BBSM) 5.0
+ Cisco Call Manager 3.0
+ Cisco Call Manager 3.0
+ Cisco Call Manager 2.0
+ Cisco Call Manager 2.0
+ Cisco Call Manager 1.0
+ Cisco Call Manager 1.0
+ Cisco ICS 7750
+ Cisco ICS 7750
+ Cisco IP/VC 3540 Video Rate Matching Module
+ Cisco IP/VC 3540 Video Rate Matching Module
+ Cisco Unity Server 2.4
+ Cisco Unity Server 2.4
+ Cisco Unity Server 2.3
+ Cisco Unity Server 2.3
+ Cisco Unity Server 2.2
+ Cisco Unity Server 2.2
+ Cisco Unity Server 2.0
+ Cisco Unity Server 2.0
+ Cisco uOne 4.0
+ Cisco uOne 4.0
+ Cisco uOne 3.0
+ Cisco uOne 3.0
+ Cisco uOne 2.0
+ Cisco uOne 2.0
+ Cisco uOne 1.0
+ Cisco uOne 1.0
+ Hancom Hancom Office 2007 0
+ Hancom Hancom Office 2007 0
+ Microsoft BackOffice 4.5
+ Microsoft BackOffice 4.5
+ Microsoft Windows NT 4.0 Option Pack
+ Microsoft Windows NT 4.0 Option Pack
Microsoft IIS 3.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0

- 漏洞讨论

NT Servers running IIS with SSL security enabled are susceptible to a DoS attack due to the server's inability to differentiate between pages that require SSL and those that don't. Therefore, by replacing the 'http' string in the URL with 'https' the server can be forced to encrypt any content in the web site, including high-bandwidth pages. An attacker could, with carefully planned https requests, drive the processor utilization to 100% resulting in extreme slowdown or even failure of the server.

- 漏洞利用

see discussion

- 解决方案

Microsoft has been notified and has passed the information to the IIS Security and IIS Development teams.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站