CVE-2009-1135

Severity Score

9.0

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Microsoft Internet Security and Acceleration (ISA) Server 2006 Gold and SP1, when Radius OTP is enabled, uses the HTTP-Basic authentication method, which allows remote attackers to gain the privileges of an arbitrary account, and access published web pages, via vectors involving attempted access to a network resource behind the ISA Server, aka "Radius OTP Bypass Vulnerability."

Microsoft Internet Security y Acceleration (ISA) Server 2006 Gold y SP1, cuando Radius OTP está activado, usa el método de autenticación HTTP-Basic, lo que permite a atacantes remotos obtener privilegios de una cuenta de su elección y acceso a la publicación de páginas, a través de vectores que involucran intentos de acceso sobre un recurso de red tras un servidor ISA. También conocido como "Vulnerabilidad Radius OTP Bypass".

*Credits: N/A

CVSS Scores

NISTv2 9.0

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2009-03-25 CVE Reserved
2009-07-15 CVE Published
2023-09-02 EPSS Updated
2024-08-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-264: Permissions, Privileges, and Access Controls

CAPEC

References (6)

URL	Tag	Source
http://secunia.com/advisories/35784	Third Party Advisory
http://www.securitytracker.com/id?1022547	Vdb Entry
http://www.us-cert.gov/cas/techalerts/TA09-195A.html	Third Party Advisory
http://www.vupen.com/english/advisories/2009/1889	Vdb Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5649	Signature

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-031	2018-10-12

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Microsoft Search vendor "Microsoft"		Isa Server Search vendor "Microsoft" for product "Isa Server"				2006 Search vendor "Microsoft" for product "Isa Server" and version "2006"		-		Affected
Microsoft Search vendor "Microsoft"		Isa Server Search vendor "Microsoft" for product "Isa Server"				2006 Search vendor "Microsoft" for product "Isa Server" and version "2006"		sp1		Affected
Microsoft Search vendor "Microsoft"		Isa Server Search vendor "Microsoft" for product "Isa Server"				2006 Search vendor "Microsoft" for product "Isa Server" and version "2006"		supportability		Affected