MS09-036: Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957)

This script is Copyright (C) 2009-2013 Tenable Network Security, Inc.


Synopsis :

The remote .Net Framework is susceptible to a denial of service
attack.

Description :

The remote host is running a version of the .NET Framework component of
Microsoft Windows that is suspectible to a denial of service attack due
to the way ASP.NET manages request scheduling. Using specially crafted
anonymous HTTP requests, an anonymous, remote attacker can cause the web
server to become unresponsive until the associated application pool is
restarted.

Note that the vulnerable code in the .NET Framework is exposed only
through IIS 7.0 when operating in integrated mode.

See also :

http://technet.microsoft.com/en-us/security/bulletin/MS09-036

Solution :

Microsoft has released a set of patches for .NET Framework 2.0 and
3.5.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 4.1
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows : Microsoft Bulletins

Nessus Plugin ID: 40555 ()

Bugtraq ID: 35985

CVE ID: CVE-2009-1536