Critical vulnerability in HTTP.sys could allow Remote Code Execution
Officially disclosed by Microsoft on April 14th 2015, information on a vulnerability affecting the HTTP protocol stack (HTTP.sys) on Windows based systems was publicly released. The vulnerability has been rated as Critical by Microsoft.
Exploit code is now known to be publicly available, primarily focusing on the Denial of Service (DoS) of the target systems by causing a ‘blue screen of death’. However there is at least one remote code execution (RCE) exploit that is known to exist in the wild, which can be used to create a reverse command shell.
What is the impact?
By sending a specially crafted HTTP request to an affected system, it may be possible to achieve remote code execution (RCE). Remote code execution is the ability an attacker has to access a remote system and make changes or run system commands.
Any system (see below) running Microsoft IIS or the HTTP server APIs are vulnerable, and if targeted could be impacted by a denial of service attack, or potentially for an attacker to gain control over the host. This means that external facing Microsoft servers should be patched as an absolute priority.
Could my organisation be vulnerable?
Microsoft has advised that the following Windows systems, including technical previews of upcoming Microsoft operating systems, are affected:
- Windows 7
- Windows Server 2008 R2
- Windows 8 and Windows 8.1
- Windows Server 2012 and Windows Server 2012 R2
- Server Core installation option
How can we detect the vulnerability?
Detection of MS15-034 is now available to clients that have the in-house scanning appliances, and also to those that use the SureCloud remote scanning appliances. Both credentialed and uncredentialed scans can be performed using the ‘MS15-034’ Tool Policy template.
If you require assistance on configuring a dedicated scan for this vulnerability in the SureCloud Platform then please raise a support ticket and our security team will assist you as soon as possible.
How can we remediate the vulnerability?
Microsoft released a security update between the 14th and 15th April 2015. The security update can be obtained from Windows Update or by visiting this Microsoft MS15-034 link.
– https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
A workaround solution for IIS was also posed by Microsoft, which is to disable Kernel Caching. However, Microsoft have also stated that doing so may cause performance issues on the IIS server.
Get in touch
Should you have any questions regarding this or any security matter, please do not hesitate to get in touch by opening a support ticket or emailing SureCloud Support.
Whilst every effort is made to ensure the accuracy and robustness of any information presented, it is not possible for SureCloud to test every possible scenario an organisation may face, and SureCloud cannot be held liable for any loss or damage which may arise from taking action on any of the contents provided. SureCloud strongly advises that all recommendations, solutions and detection methods detailed, are thoroughly reviewed and tested in non-production environments before being considered suitable for production release, in-line with any existing internal change control procedures.