CVE-2010-1689

Summary

CVE	CVE-2010-1689
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2010-05-07 18:30:00 UTC
Updated	2020-04-09 13:25:00 UTC
Description	The DNS implementation in smtpsvc.dll before 6.0.2600.5949 in Microsoft Windows 2000 SP4 and earlier, Windows XP SP3 and earlier, Windows Server 2003 SP2 and earlier, Windows Server 2008 SP2 and earlier, Windows Server 2008 R2, Exchange Server 2003 SP3 and earlier, Exchange Server 2007 SP2 and earlier, and Exchange Server 2010 uses predictable transaction IDs that are formed by incrementing a previous ID by 1, which makes it easier for man-in-the-middle attackers to spoof DNS responses, a different vulnerability than CVE-2010-0024 and CVE-2010-0025.

Risk And Classification

Problem Types: CWE-310

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Microsoft	Exchange Server	2003	-	All	All
Application	Microsoft	Exchange Server	2003	sp1	All	All
Application	Microsoft	Exchange Server	2003	sp2	All	All
Application	Microsoft	Exchange Server	2007	-	All	All
Application	Microsoft	Exchange Server	2007	sp1	All	All
Application	Microsoft	Exchange Server	2007	sp2	All	All
Application	Microsoft	Exchange Server	2010	-	All	All
Application	Microsoft	Exchange Server	2003	-	All	All
Application	Microsoft	Exchange Server	2003	sp1	All	All
Application	Microsoft	Exchange Server	2003	sp2	All	All
Application	Microsoft	Exchange Server	2007	-	All	All
Application	Microsoft	Exchange Server	2007	sp1	All	All
Application	Microsoft	Exchange Server	2007	sp2	All	All
Application	Microsoft	Exchange Server	2010	-	All	All
Operating System	Microsoft	Windows 2000	-	sp1	All	All
Operating System	Microsoft	Windows 2000	-	sp2	All	All
Operating System	Microsoft	Windows 2000	-	sp3	All	All
Operating System	Microsoft	Windows 2000	-	sp4	All	All
Operating System	Microsoft	Windows 2000	-	sp1	All	All
Operating System	Microsoft	Windows 2000	-	sp2	All	All
Operating System	Microsoft	Windows 2000	-	sp3	All	All
Operating System	Microsoft	Windows 2000	-	sp4	All	All
Operating System	Microsoft	Windows Server 2003	-	sp1	All	All
Operating System	Microsoft	Windows Server 2003	-	sp2	All	All
Operating System	Microsoft	Windows Server 2003	-	sp1	All	All
Operating System	Microsoft	Windows Server 2003	-	sp2	All	All
Operating System	Microsoft	Windows Server 2008	-	sp1	All	All
Operating System	Microsoft	Windows Server 2008	-	sp2	All	All
Operating System	Microsoft	Windows Server 2008	r2	-	All	All
Operating System	Microsoft	Windows Server 2008	-	sp1	All	All
Operating System	Microsoft	Windows Server 2008	-	sp2	All	All
Operating System	Microsoft	Windows Server 2008	r2	-	All	All
Operating System	Microsoft	Windows Xp	-	sp1	All	All
Operating System	Microsoft	Windows Xp	-	sp2	All	All
Operating System	Microsoft	Windows Xp	-	sp3	All	All
Operating System	Microsoft	Windows Xp	-	sp1	All	All
Operating System	Microsoft	Windows Xp	-	sp2	All	All
Operating System	Microsoft	Windows Xp	-	sp3	All	All

References

Reference	Source	Link	Tags
20100504 [CORE-2010-0427] Windows SMTP Service DNS query Id vulnerabilities	FULLDISC	archives.neohapsis.com	Broken Link
Microsoft Windows SMTP Server Insufficient Query ID Randomization DNS Spoofing Vulnerability	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
SecurityTracker.com Archives - Windows SMTP Service Uses Predictable Transaction IDs and Fails to Validate Response IDs Which May Permit DNS Spoofing	SECTRACK	securitytracker.com	Third Party Advisory, VDB Entry
Windows SMTP Service DNS query Id vulnerabilities \| CoreLabs Advisories	MISC	www.coresecurity.com	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.