Microsoft Windows up to Server 2019 HTTP2 HTTP.sys denial of service – Digitalmunition




Exploit/Advisories Cybersecurity study of the dark web exposes vulnerability to machine identities -- ScienceDaily

Published on August 15th, 2019 📆 | 2061 Views ⚑

0

Microsoft Windows up to Server 2019 HTTP2 HTTP.sys denial of service

CVSS Meta Temp ScoreCurrent Exploit Price (≈)
7.2$5k-$25k

A vulnerability classified as critical was found in Microsoft Windows up to Server 2019 (Operating System). Affected by this vulnerability is an unknown code in the library HTTP.sys of the component HTTP2 Handler. The manipulation with an unknown input leads to a denial of service vulnerability. The CWE definition for the vulnerability is CWE-404. As an impact it is known to affect availability.

The weakness was shared 08/13/2019 as confirmed security update guide (Website). The advisory is shared at portal.msrc.microsoft.com. The vendor cooperated in the coordination of the public release. This vulnerability is known as CVE-2019-9512. The attack can be launched remotely. The exploitation doesn’t need any form of authentication. Technical details are known, but no exploit is available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 08/14/2019). The advisory points out:

A denial of service vulnerability exists in the HTTP/2 protocol stack (HTTP.sys) when HTTP.sys improperly parses specially crafted HTTP/2 requests. An attacker who successfully exploited the vulnerability could create a denial of service condition, causing the target system to become unresponsive.

Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.

The entries 139973, 139972, 139971 and 139970 are related to this item.

Type

Vendor

Name

VulDB Meta Base Score: 7.5
VulDB Meta Temp Score: 7.2

VulDB Base Score: 7.5
VulDB Temp Score: 7.2
VulDB Vector: 🔒
VulDB Reliability: 🔍

Vendor Base Score (Microsoft): 7.5
Vendor Vector (Microsoft): 🔒

AVACAuCIA
🔍🔍🔍🔍🔍🔍
🔍🔍🔍🔍🔍🔍
🔍🔍🔍🔍🔍🔍
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock
unlockunlockunlockunlockunlockunlock


VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Class: Denial of service (CWE-404)
Local: No
Remote: Yes

Availability: 🔒
Status: Not defined

Price Prediction: 🔍
Current Price Estimation: 🔒

Threat Intelligenceinfoedit

Threat: 🔍
Adversaries: 🔍
Geopolitics: 🔍
Economy: 🔍
Predictions: 🔍
Remediation: 🔍Recommended: Patch
Status: 🔍

Reaction Time: 🔒
0-Day Time: 🔒
Exposure Time: 🔒

08/13/2019 Advisory disclosed
08/13/2019 +0 days Countermeasure disclosed
08/14/2019 +1 days VulDB entry created
08/14/2019 +0 days VulDB last updateVendor: microsoft.com
Product: microsoft.com

Advisory: portal.msrc.microsoft.com
Status: Confirmed
Coordinated: 🔒

CVE: CVE-2019-9512 (🔒)
scip Labs: https://www.scip.ch/en/?labs.20161215
See also: 🔒

Created: 08/14/2019 01:51 PM
Complete: 🔍

Comments

No comments yet. Please log in to comment.

Download the whitepaper to learn more about our service!

https://vuldb.com/?id.139969

Tagged with:



Leave a Reply