The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Microsoft Office Communications Server

computer vulnerability announce CVE-2008-5180

Microsoft OCS: denial of service via SIP

Synthesis of the vulnerability

An attacker can send SIP INVITE queries in order to create a denial of service in Microsoft Office Communications Server.
Impacted products: Microsoft OCS.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: intranet client.
Creation date: 02/12/2008.
Identifiers: CVE-2008-5180, VIGILANCE-VUL-8277.

Description of the vulnerability

The Microsoft Office Communications Server product implements SIP (Session Initiation Protocol) used for multimedia exchanges. This protocol defines following queries:
 - INVITE : the client requests a new session
 - ACK : the server acknowledges
 - BYE : ends a session
 - etc.

When MOCS receives a special SIP INVITE query, it does not free the associated memory.

An attacker can therefore send numerous queries in order to progressively deplete the memory.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Microsoft Office Communications Server: