CVE-2019-0626
published 2019-03-05CVE-2019-0626: A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP server, aka 'Windows…
PriorityP272critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
68.29%
99.2th percentile
A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP server, aka 'Windows DHCP Server Remote Code Execution Vulnerability'.
Affected
63 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable service is implemented in dhcpssvc.dll and run via svchost.exe; monitor for crashes or anomalous behavior in this process/DLL as an indicator of exploitation attempts. ↗
- →Detect exploitation attempts by monitoring for a highly unusual volume of DHCP DISCOVER and RELEASE/REQUEST messages originating from a single client (hardware address) in a short time window — the described attack requires concurrently sending a large number of such messages over 10 seconds to several minutes. ↗
- →Alert on DHCP RELEASE messages or crafted REQUEST messages (with a requested IP address the server cannot allocate) sent rapidly after DISCOVER messages from the same client hardware address — this is the specific trigger sequence for the use-after-free. ↗
- →The attack vector is specially crafted DHCP packets sent to a Windows DHCP Server; monitor DHCP server traffic (UDP port 67) for anomalous packet floods or malformed option fields. ↗
- ·The vulnerability is a memory corruption (use-after-free via race condition) in the Windows Server DHCP service, not the DHCP client; only Windows Server deployments running the DHCP Server role are affected. ↗
- ·Triggering the race condition is non-deterministic and requires precise timing between thread scheduling windows; a crash of the DHCP server service (denial-of-service) is a more reliable outcome than remote code execution, and could be leveraged to stand up a rogue DHCP server. ↗
- ·The race condition window is extremely narrow — it exists between leaving one critical section (DhcpGlobalInprogressCritSect) and entering the next one, making reliable exploitation highly dependent on thread scheduling and not fully under attacker control. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4xjw-72cm-x4gr: A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP server, aka 'Wi
ghsa_unreviewed·2022-05-13
CVE-2019-0626 [CRITICAL] CWE-787 GHSA-4xjw-72cm-x4gr: A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP server, aka 'Wi
A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP server, aka 'Windows DHCP Server Remote Code Execution Vulnerability'.
Microsoft
Windows DHCP Server Remote Code Execution Vulnerability
vendor_msrc·2019-02-12·CVSS 9.8
CVE-2019-0626 [CRITICAL] Windows DHCP Server Remote Code Execution Vulnerability
Windows DHCP Server Remote Code Execution Vulnerability
Description: A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP server. An attacker who successfully exploited the vulnerability could run arbitrary code on the DHCP server.
To exploit the vulnerability, an attacker could send a specially crafted packet to a DHCP server.
The security update addresses the vulnerability by correcting how DHCP servers handle network packets.
Windows DHCP Server: Windows DHCP Server
Impact: Remote Code Execution
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely
Reference: https://catalog.update.microsoft.com/v7/site/Searc
Suricata
GPL RPC portmap rusers request UDP
suricata·2010-09-23
CVE-1999-0626 GPL RPC portmap rusers request UDP
GPL RPC portmap rusers request UDP
Rule: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2100584; rev:12; metadata:created_at 2010_09_23, cve CVE_1999_0626, signature_severity Informational, updated_at 2019_07_26;)
No public exploits indexed.
Trendmicro
CVE-2019-0725: An Analysis of Its Exploitability
blogs_trendmicro·2019-05-29·CVSS 9.8
CVE-2019-0725 [CRITICAL] CVE-2019-0725: An Analysis of Its Exploitability
Exploits & Vulnerabilities
# CVE-2019-0725: An Analysis of Its Exploitability
It’s worth noting that DHCP-related vulnerabilities are drawing more attention in Patch Tuesdays this year. An example is CVE-2019-0725, which doesn’t require user interaction, and affects all versions of Windows Server. How bad is it exactly?
By: John Simpson
May 29, 2019
Read time: ( words)
Save to Folio
May’s Patch Tuesday saw what is likely to be one of the most prominent vulnerabilities this year with the “wormable” Windows Terminal Services vulnerability (CVE-2019-0708). However, there’s another remote code execution (RCE) vulnerability that would be hard to ignore: CVE-2019-0725, an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server. It’s worth noting that DHCP-related vul
Trendmicro
CVE-2019-0725: An Analysis of Its Exploitability
blogs_trendmicro·2019-05-29·CVSS 9.8
CVE-2019-0725 [CRITICAL] CVE-2019-0725: An Analysis of Its Exploitability
Exploits & Vulnerabilities
# CVE-2019-0725: An Analysis of Its Exploitability
It’s worth noting that DHCP-related vulnerabilities are drawing more attention in Patch Tuesdays this year. An example is CVE-2019-0725, which doesn’t require user interaction, and affects all versions of Windows Server. How bad is it exactly?
By: John Simpson
2019/05/29
Read time: ( words)
Save to Folio
May’s Patch Tuesday saw what is likely to be one of the most prominent vulnerabilities this year with the “wormable” Windows Terminal Services vulnerability (CVE-2019-0708). However, there’s another remote code execution (RCE) vulnerability that would be hard to ignore: CVE-2019-0725, an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server. It’s worth noting that DHCP-related vulne
Trendmicro
CVE-2019-0725: An Analysis of Its Exploitability
blogs_trendmicro·2019-05-29·CVSS 9.8
CVE-2019-0725 [CRITICAL] CVE-2019-0725: An Analysis of Its Exploitability
Exploits & Vulnerabilities
## CVE-2019-0725: An Analysis of Its Exploitability
It’s worth noting that DHCP-related vulnerabilities are drawing more attention in Patch Tuesdays this year. An example is CVE-2019-0725, which doesn’t require user interaction, and affects all versions of Windows Server. How bad is it exactly?
By: John Simpson May 29, 2019 Read time: ( words)
Save to Folio
May’s Patch Tuesday saw what is likely to be one of the most prominent vulnerabilities this year with the “wormable” Windows Terminal Services vulnerability ( CVE-2019-0708 ). However, there’s another remote code execution (RCE) vulnerability that would be hard to ignore: CVE-2019-0725 , an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server. It’s worth noting that DHCP-related
Trendmicro
CVE-2019-0725: An Analysis of Its Exploitability
blogs_trendmicro·2019-05-29·CVSS 9.8
CVE-2019-0725 [CRITICAL] CVE-2019-0725: An Analysis of Its Exploitability
Ausnutzung von Schwachstellen
## CVE-2019-0725: An Analysis of Its Exploitability
It’s worth noting that DHCP-related vulnerabilities are drawing more attention in Patch Tuesdays this year. An example is CVE-2019-0725, which doesn’t require user interaction, and affects all versions of Windows Server. How bad is it exactly?
By: John Simpson May 29, 2019 Read time: ( words)
Save to Folio
May’s Patch Tuesday saw what is likely to be one of the most prominent vulnerabilities this year with the “wormable” Windows Terminal Services vulnerability ( CVE-2019-0708 ). However, there’s another remote code execution (RCE) vulnerability that would be hard to ignore: CVE-2019-0725 , an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server. It’s worth noting that DHCP-relat
Trendmicro
CVE-2019-0725: An Analysis of Its Exploitability
blogs_trendmicro·2019-05-29·CVSS 9.8
CVE-2019-0725 [CRITICAL] CVE-2019-0725: An Analysis of Its Exploitability
Exploits & Vulnerabilities
## CVE-2019-0725: An Analysis of Its Exploitability
It’s worth noting that DHCP-related vulnerabilities are drawing more attention in Patch Tuesdays this year. An example is CVE-2019-0725, which doesn’t require user interaction, and affects all versions of Windows Server. How bad is it exactly?
By: John Simpson 2019/05/29 Read time: ( words)
Save to Folio
May’s Patch Tuesday saw what is likely to be one of the most prominent vulnerabilities this year with the “wormable” Windows Terminal Services vulnerability ( CVE-2019-0708 ). However, there’s another remote code execution (RCE) vulnerability that would be hard to ignore: CVE-2019-0725 , an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server. It’s worth noting that DHCP-related vu
Trendmicro
CVE-2019-0725: An Analysis of Its Exploitability
blogs_trendmicro·2019-05-29·CVSS 9.8
CVE-2019-0725 [CRITICAL] CVE-2019-0725: An Analysis of Its Exploitability
Sfruttamento vulnerabilità
## CVE-2019-0725: An Analysis of Its Exploitability
It’s worth noting that DHCP-related vulnerabilities are drawing more attention in Patch Tuesdays this year. An example is CVE-2019-0725, which doesn’t require user interaction, and affects all versions of Windows Server. How bad is it exactly?
By: John Simpson May 29, 2019 Read time: ( words)
Save to Folio
May’s Patch Tuesday saw what is likely to be one of the most prominent vulnerabilities this year with the “wormable” Windows Terminal Services vulnerability ( CVE-2019-0708 ). However, there’s another remote code execution (RCE) vulnerability that would be hard to ignore: CVE-2019-0725 , an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server. It’s worth noting that DHCP-related
Trendmicro
CVE-2019-0725: An Analysis of Its Exploitability
blogs_trendmicro·2019-05-29·CVSS 9.8
CVE-2019-0725 [CRITICAL] CVE-2019-0725: An Analysis of Its Exploitability
Exploits y vulnerabilidades
## CVE-2019-0725: An Analysis of Its Exploitability
It’s worth noting that DHCP-related vulnerabilities are drawing more attention in Patch Tuesdays this year. An example is CVE-2019-0725, which doesn’t require user interaction, and affects all versions of Windows Server. How bad is it exactly?
By: John Simpson May 29, 2019 Read time: ( words)
Save to Folio
May’s Patch Tuesday saw what is likely to be one of the most prominent vulnerabilities this year with the “wormable” Windows Terminal Services vulnerability ( CVE-2019-0708 ). However, there’s another remote code execution (RCE) vulnerability that would be hard to ignore: CVE-2019-0725 , an RCE vulnerability in Windows Dynamic Host Configuration Protocol (DHCP) Server. It’s worth noting that DHCP-related
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Exploits & Vulnerabilities
## February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research Feb 13, 2019 Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services, a
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Exploits & Vulnerabilities
# February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research
Feb 13, 2019
Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services, a
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Exploits y vulnerabilidades
## February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research Feb 13, 2019 Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services,
Krebs
Patch Tuesday, February 2019 Edition
blogs_krebs·2019-02-13·CVSS 9.8
[CRITICAL] Patch Tuesday, February 2019 Edition
Microsoft on Tuesday issued a bevy of patches to correct at least 70 distinct security vulnerabilities in Windows and software designed to interact with various flavors of the operating system. This month’s patch batch tackles some notable threats to enterprises — including multiple flaws that were publicly disclosed prior to Patch Tuesday. It also bundles fixes to quash threats relevant to end users, including critical updates for Adobe Flash Player and Microsoft Office , as well as a zero-day bug in Internet Explorer .
Some 20 of the flaws addressed in February’s update bundle are weaknesses labeled “critical,” meaning Microsoft believes that attackers or malware could exploit them to fully compromise systems through little or no help from users — save from convincing a user to visit a
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Exploits & Vulnerabilities
## February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research 2019/02/13 Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services, and
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Sfruttamento vulnerabilità
## February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research Feb 13, 2019 Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services, a
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Ausnutzung von Schwachstellen
## February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research Feb 13, 2019 Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Exploits & Vulnerabilities
# February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research
2019/02/13
Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services, and
Trendmicro
February Patch Tuesday: Batch Includes 77 Updates
blogs_trendmicro·2019-02-13·CVSS 9.8
[CRITICAL] February Patch Tuesday: Batch Includes 77 Updates
Exploits & Vulnerabilities
## February Patch Tuesday: Batch Includes 77 Updates
Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office, among others.
By: Trend Micro Research Feb 13, 2019 Read time: ( words)
Save to Folio
It’s time to get security updates installed. Microsoft released 77 updates, along with three new advisories, in this month’s Patch Tuesday. The bulletin patches four publicly known bugs, rated Important, and one that is under active attack. It includes fixes for ChakraCore, Edge, Exchange Server, Internet Explorer (IE), Microsoft Windows, Office and Microsoft Office Services and Web Apps, Azure, Team Foundation Services, a
Krebs
Patch Tuesday, February 2019 Edition
blogs_krebs·2019-02-12·CVSS 9.8
[CRITICAL] Patch Tuesday, February 2019 Edition
Microsoft on Tuesday issued a bevy of patches to correct at least 70 distinct security vulnerabilities in Windows and software designed to interact with various flavors of the operating system. This month’s patch batch tackles some notable threats to enterprises — including multiple flaws that were publicly disclosed prior to Patch Tuesday. It also bundles fixes to quash threats relevant to end users, including critical updates for Adobe Flash Player and Microsoft Office, as well as a zero-day bug in Internet Explorer.
Microsoft patched a bug in Internet Exploder Explorer (CVE-2019-0676) discovered by Google that attackers already are using to target vulnerable systems. This flaw could allow malware or miscreants to check for the presence of specific files on the target’s hard drive.
Ano
2019-03-05
Published