Windows HTTP Protocol Stack (HTTP.sys) Bugs Let Remote Users Deny Service and Execute Arbitrary Code
|
SecurityTracker Alert ID: 1041094 |
SecurityTracker URL: http://securitytracker.com/id/1041094
|
CVE Reference:
CVE-2018-8226, CVE-2018-8231
(Links to External Site)
|
Date: Jun 12 2018
|
Impact:
Denial of service via network, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 2016, 10, 10 Version 1607, 10 Version 1703, 10 Version 1709, 10 Version 1803
|
Description:
Two vulnerabilities were reported in Windows HTTP Services. A remote user can cause denial of service conditions on the target system. A remote user can execute arbitrary code on the target system.
A remote user can send a specially crafted HTTP 2.0 request to trigger a parsing error in 'HTTP.sys' and cause the target system to become unresponsive [CVE-2018-8226].
A remote user can send a specially crafted packet to trigger an object memory handling error error in 'HTTP.sys' and execute arbitrary code on the target system [CVE-2018-8231].
|
Impact:
A remote user can cause the target system to become unresponsive.
A remote user can execute arbitrary code on the target system.
|
Solution:
The vendor has issued a fix.
The Microsoft advisories are available at:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8226
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8231
|
Vendor URL: portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8226 (Links to External Site)
|
Cause:
Access control error, Input validation error
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|