Since I raised this as an Issue, I checked on the Exchange servers and there are no IIS6 websites configured. In this case would I be right in thinking that I don't need to do any further work?
Vulnerability CVE-2007-2897 on Exchange 2013 server
Hi,
We have recently had a PCI DSS scan and on the Windows 2012 R2 Exchange 2013 servers the CVE-2007-2897 vulnerability was detected.
I have been searching for how to mitigate this and can't really find anything.
I did see something about using an ISAP filter to block MS-DOS devices, but again there seemed to be no definitive fix.
Any help would be appreciated.
Matthew Ridley
2 answers
Sort by: Newest
-
-
Limitless Technology 39,366 Reputation points
2021-12-02T10:07:21.917+00:00 Hi there,
This vulnerability has been modified since it was last analyzed by the NATIONAL VULNERABILITY DATABASE.
Microsoft Internet Information Services (IIS) 6.0 allows remote attackers to cause a denial of service (server instability or device hang), and possibly obtain sensitive information (device communication traffic); and might allow attackers with physical access to execute arbitrary code after connecting a data stream to a device COM port; via requests for a URI containing a '/' immediately before and after the name of a DOS device, as demonstrated by the /AUX/.aspx URI, which bypasses a blacklist for DOS device requests.
--If the reply is helpful, please Upvote and Accept it as an answer--