CVE-2019-0703
published 2019-04-09CVE-2019-0703: An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, aka 'Windows SMB Information Disclosure…
PriorityP275medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
9.64%
94.9th percentile
An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, aka 'Windows SMB Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-0704, CVE-2019-0821.
Affected
46 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Bemstour (APT3/Buckeye exploitation tool) constructs all SMB packets manually over plain TCP sockets with hardcoded field values including hardcoded UIDs in a particular range — anomalous SMB traffic with static/repeated UID values should be flagged. ↗
- →CVE-2019-0703 is exploited as a kernel information leak (memory layout disclosure) via specially crafted authenticated SMB messages; monitor for authenticated SMB sessions sending anomalous/malformed requests that elicit memory address responses. ↗
- →The information disclosed is memory layout data enabling ASLR bypass; exploitation has been detected in the wild on both latest and older software releases — treat any successful exploitation as a precursor to follow-on RCE. ↗
- ·Exploitation requires prior authentication to the SMB server — unauthenticated SMB exposure alone is not sufficient; attacker must hold valid credentials. ↗
- ·CVE-2019-0703 is distinct from CVE-2019-0704 and CVE-2019-0821, which are separate Windows SMB Information Disclosure vulnerabilities patched in the same cycle; ensure all three are addressed. ↗
- ·The vulnerability was used as a 0-day info leak component within the UPSynergy exploit chain (combining EternalRomance-equivalent + this info leak) to extend targeting to Windows versions beyond Windows 7; patching SMBv1 alone may not be sufficient if SMB is exposed. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
vendor_msrc6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4363-m599-g24f: An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, aka 'Windows SMB Information Disclosur
ghsa_unreviewed·2022-05-13·CVSS 6.5
CVE-2019-0703 [MEDIUM] GHSA-4363-m599-g24f: An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, aka 'Windows SMB Information Disclosur
An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, aka 'Windows SMB Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-0704, CVE-2019-0821.
GHSA
GHSA-7hvr-vpv9-p423: An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, aka 'Windows SMB Information Disclosur
ghsa_unreviewed·2022-05-13·CVSS 6.5
CVE-2019-0821 [MEDIUM] GHSA-7hvr-vpv9-p423: An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, aka 'Windows SMB Information Disclosur
An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, aka 'Windows SMB Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-0703, CVE-2019-0704.
GHSA
GHSA-gx47-9xcf-wqqr: An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, aka 'Windows SMB Information Disclosur
ghsa_unreviewed·2022-05-13·CVSS 6.5
CVE-2019-0704 [MEDIUM] GHSA-gx47-9xcf-wqqr: An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, aka 'Windows SMB Information Disclosur
An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, aka 'Windows SMB Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-0703, CVE-2019-0821.
Project0
Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 - Project Zero
project_zero·2020-07-01
CVE-2016-5195 Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 - Project Zero
Posted by Maddie Stone, Project Zero
In May 2019, Project Zero released our tracking spreadsheet for 0-days used “in the wild” and we started a more focused effort on analyzing and learning from these exploits. This is another way Project Zero is trying to make zero-day hard. This blog post synthesizes many of our efforts and what we’ve seen over the last year. We provide a review of what we can learn from 0-day exploits detected as used in the wild in 2019. In conjunction with this blog post, we are also publishing another blog post today about our root cause analysis work that informed the conclusions in this Year in Review. We are also releasing 8 root cause analyses that we have done for in-the-wild 0-days from 2019.
When I had the idea for this “Year in Review” blog post, I immedi
VulnCheck
Microsoft Windows SMB Information Disclosure Vulnerability
vulncheck·2019·CVSS 6.5
CVE-2019-0703 [MEDIUM] Microsoft Windows SMB Information Disclosure Vulnerability
Microsoft Windows SMB Information Disclosure Vulnerability
An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, which could lead to information disclosure from the server.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2019-Mar; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-06-13
CISA
Microsoft Windows SMB Information Disclosure Vulnerability
cisa·2022-05-23·CVSS 6.5
CVE-2019-0703 [MEDIUM] Microsoft Windows SMB Information Disclosure Vulnerability
Vulnerability: Microsoft Windows SMB Information Disclosure Vulnerability
Affected: Microsoft Windows
An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, which could lead to information disclosure from the server.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-0703
Remediation Due Date: 2022-06-13
Microsoft
Windows SMB Information Disclosure Vulnerability
vendor_msrc·2019-03-12·CVSS 6.5
CVE-2019-0703 [MEDIUM] Windows SMB Information Disclosure Vulnerability
Windows SMB Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests. An authenticated attacker who successfully exploited this vulnerability could craft a special packet, which could lead to information disclosure from the server.
To exploit the vulnerability, an attacker would have to be able to authenticate and send SMB messages to an impacted Windows SMB Server
The security update addresses the vulnerability by correcting how Windows SMB Server handles authenticated requests.
FAQ: What type of information could be disclosed by this vulnerability?
The type of information that could be disclosed if an attacker successfully exploited this vulnerability is memory layout - the vulnerabi
No detection rules found.
No public exploits indexed.
2019-04-09
Published
2022-05-23
Added to CISA KEV
Exploited in the wild