CVE-2017-7269 — CRITICAL (9.8)

Q: How severe is CVE-2017-7269?

CVE-2017-7269 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2017-7269?

Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Internet Information Services, Microsoft Windows Server 2003.

Vulnerability Description

Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Microsoft	Internet Information Services	6.0
Microsoft	Windows Server 2003	r2

Related Weaknesses (CWE)

CWE-120

References

http://www.securityfocus.com/bid/97127Broken LinkThird Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1038168Broken LinkThird Party AdvisoryVDB Entry
https://0patch.blogspot.com/2017/03/0patching-immortal-cve-2017-7269.htmlExploitThird Party Advisory
https://github.com/danigargu/explodingcanExploit
https://github.com/edwardz246003/IIS_exploitBroken LinkThird Party Advisory
https://github.com/rapid7/metasploit-framework/pull/8162Issue TrackingPatch
https://medium.com/%40iraklis/number-of-internet-facing-vulnerable-iis-6-0-to-cvExploit
https://support.microsoft.com/en-us/help/3197835/description-of-the-security-updBroken LinkPatchVendor Advisory
https://www.exploit-db.com/exploits/41738/ExploitThird Party AdvisoryVDB Entry
https://www.exploit-db.com/exploits/41992/ExploitThird Party AdvisoryVDB Entry
http://www.securityfocus.com/bid/97127Broken LinkThird Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1038168Broken LinkThird Party AdvisoryVDB Entry
https://0patch.blogspot.com/2017/03/0patching-immortal-cve-2017-7269.htmlExploitThird Party Advisory
https://github.com/danigargu/explodingcanExploit
https://github.com/edwardz246003/IIS_exploitBroken LinkThird Party Advisory

FAQ

What is CVE-2017-7269?

CVE-2017-7269 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary c...

How severe is CVE-2017-7269?

CVE-2017-7269 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2017-7269?

Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Internet Information Services, Microsoft Windows Server 2003.