Skip to Main Content

Hitachi Logo
earth icon
    mail icon Contact Us
    Hitachi Global
    Hitachi Global

    HIRT-PUB15004: HTTP.sys Remote Code Execution issue

    (CVE-2015-1635)

    Last Updated: April 20, 2015

    1. Overview

    HTTP protocol stack (HTTP.sys) of Microsoft Windows contains an integer overflow vulnerability that may allow an attacker to remotely execute arbitrary code via crafted HTTP requests. This vulnerability has been assigned CVE-2015-1635, and is referred to as "HTTP.sys Remote Code Execution Vulnerability".

     

    April 14, 2015
    Security update for HTTP.sys (CVE-2015-1635, MS15-034) has been released by Microsoft.

     

    April 15, 2015
    Vulnerability proof-of-concept code for CVE-2015-1635 released to the public. Also, Denial of Service (DoS) exploits are widely available to exploit CVE-2015-1635, affecting Microsoft IIS.

    CVSS Severity

     Base Metrics: 10.0
      Access Vector: Network
      Access Complexity: Low
      Authentication: None
      Confidentiality Impact: Complete
      Integrity Impact: Complete
      Availability Impact: Complete

     

     Temporal Metrics 8.3 (April 20, 2015)
      Exploitablity: Functional exploit exists
      Remediation Level: Official fix
      Report Confidence: Confirmed

     

    http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C)

    2. Affected Systems

    + cpe:/o:microsoft:windows_7
    + cpe:/o:microsoft:windows_server_2008:r2
    + cpe:/o:microsoft:windows_8
    + cpe:/o:microsoft:windows_8.1
    + cpe:/o:microsoft:windows_server_2012
    + cpe:/o:microsoft:windows_server_2012:r2

    3. Impact

    This vulnerability allows remote attacker to cause a denial of service (BSOD: Blue Screen of Death) or execute arbitrary code via crafted HTTP requests.

    4. Solution

    Apply an update

    MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)
    https://technet.microsoft.com/library/security/MS15-034

    5. Product Information

    April 17, 2015

    The issue is currently under investigation.

    6. References

    Vulnerability Enumeration

    CVE-2015-1635
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635

    MS15-034: Vulnerability in HTTP.sys Could Allow Remote Code Execution (3042553)
    https://technet.microsoft.com/library/security/MS15-034

    Other Information

    InfoSec Handlers Diary Blog
    MS15-034: HTTP.sys (IIS) DoS And Possible Remote Code Execution. PATCH NOW
    https://isc.sans.edu/diary/19583

    7. Update history

    April 20, 2015

    • This webpage was newly created and published.

    Masato Terada (HIRT) and Naoko Ohnishi (HIRT)