CVE-2010-0025: Infoleak
First published: Wed Apr 14 2010(Updated: )
The SMTP component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Server 2008 Gold, SP2, and R2, and Exchange Server 2000 SP3, does not properly allocate memory for SMTP command replies, which allows remote attackers to read fragments of e-mail messages by sending a series of invalid commands and then sending a STARTTLS command, aka "SMTP Memory Allocation Vulnerability."
Credit: secure@microsoft.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Windows 2000 | =sp4 | |
| Microsoft Windows XP | =sp3 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows XP | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server 2003 | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Windows Server | ||
| Microsoft Windows Server | =r2 | |
| Microsoft Windows Server | =sp2 | |
| Microsoft Exchange Server | =2000-sp3 | |
| Microsoft Exchange Server | =2003-sp2 | |
| Microsoft Exchange Server | =2007-sp2 | |
| Microsoft Exchange Server | =2007-sp1 | |
| Microsoft Exchange Server | =2010 | |
| =sp4 | ||
| =sp2 | ||
| =sp2 | ||
| =sp3 | ||
| =sp2 | ||
| =sp2 | ||
| =r2 | ||
| =sp2 | ||
| =sp2 | ||
| =sp2 | ||
| =2000-sp3 | ||
| =2003-sp2 | ||
| =2007-sp1 | ||
| =2007-sp2 | ||
| =2010 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2010-0025?
CVE-2010-0025 is considered a critical vulnerability that can lead to unauthorized access to email fragments.
How do I fix CVE-2010-0025?
To fix CVE-2010-0025, ensure that you apply the latest security updates provided by Microsoft for the affected software.
What systems are affected by CVE-2010-0025?
CVE-2010-0025 affects Microsoft Windows 2000 SP4, XP SP2 and SP3, Windows Server 2003 SP2, Windows Server 2008, and Exchange Server 2000 and 2003.
What can attackers do with CVE-2010-0025?
Attackers exploiting CVE-2010-0025 can potentially read fragments of email messages through specially crafted SMTP commands.
Is there a workaround for CVE-2010-0025?
While a specific workaround is not recommended, disabling the SMTP service can mitigate risks associated with CVE-2010-0025 until a patch is applied.
- agent/references
- agent/type
- agent/weakness
- agent/severity
- agent/author
- agent/remedy
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/event
- vendor/microsoft
- canonical/microsoft windows 2000
- version/microsoft windows 2000/sp4
- canonical/microsoft windows xp
- version/microsoft windows xp/sp3
- version/microsoft windows xp/sp2
- canonical/microsoft windows server
- version/microsoft windows server/sp2
- canonical/microsoft windows server 2003
- version/microsoft windows server 2003/sp2
- version/microsoft windows server/r2
- canonical/microsoft exchange server
- version/microsoft exchange server/2000-sp3
- version/microsoft exchange server/2003-sp2
- version/microsoft exchange server/2007-sp2
- version/microsoft exchange server/2007-sp1
- version/microsoft exchange server/2010