|CERT-In Vulnerability Note
Microsoft Web Services on Devices API WSDAPI remote code execution vulnerability
Original Issue Date:November 11, 2009
Severity Rating: HIGH
- Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
- Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
- Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 including Server-Core installation
- Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 including Server-Core installation
- Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
A remote code execution vulnerability has been reported in Microsoft Windows Web Services on Devices API WSDAPI , which could be exploited by remote attackers to compromise a vulnerable system.
Web Services on Devices allows a Windows client to discover and access remote devices, such as personal digital assistants (PDAs) and computer peripherals, including printers and cameras, as well as consumer electronics and their associated services across a network. Web Services on Devices API (WSDAPI) implements the Devices Profile for Web Services (DPWS) for Windows Vista and Windows Server 2008.
A remote code execution vulnerability exists in the Microsoft Web Services on Devices API (WSDAPI) which could allow a remote attacker to execute arbitrary code with the privileges of exploited service.
The vulnerability is caused due to a memory corruption error while processing a WSD message with specially crafted headers. An attacker could exploit this vulnerability by sending a specially crafted message to WSD TCP ports or by sending specially crafted response to a WSD message querying for devices, when initiated by a Windows client.
Apply appropriate patches as mentioned in Microsoft Security Bulletin
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-2436857
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003