CVE-2008-3009

critical

Description

Microsoft Windows Media Player 6.4, Windows Media Format Runtime 7.1 through 11, and Windows Media Services 4.1, 9, and 2008 do not properly use the Service Principal Name (SPN) identifier when validating replies to authentication requests, which allows remote servers to execute arbitrary code via vectors that employ NTLM credential reflection, aka "SPN Vulnerability."

References

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5942

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-076

http://www.vupen.com/english/advisories/2008/3388

http://www.us-cert.gov/cas/techalerts/TA08-344A.html

http://www.securitytracker.com/id?1021373

http://www.securitytracker.com/id?1021372

http://www.securityfocus.com/bid/32653

http://secunia.com/advisories/33058

Details

Source: Mitre, NVD

Published: 2008-12-10

Updated: 2023-12-07

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical