cbcvebase.
CVE-2019-0703
published 2019-04-09

CVE-2019-0703: An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, aka 'Windows SMB Information Disclosure…

PriorityP275medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-06-13
Exploited in the wild
EPSS
9.64%
94.9th percentile
An information disclosure vulnerability exists in the way that the Windows SMB Server handles certain requests, aka 'Windows SMB Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-0704, CVE-2019-0821.

Affected

46 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_10
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server

Detection & IOCsextracted from sources · hover to see the quote

  • Bemstour (APT3/Buckeye exploitation tool) constructs all SMB packets manually over plain TCP sockets with hardcoded field values including hardcoded UIDs in a particular range — anomalous SMB traffic with static/repeated UID values should be flagged.
  • CVE-2019-0703 is exploited as a kernel information leak (memory layout disclosure) via specially crafted authenticated SMB messages; monitor for authenticated SMB sessions sending anomalous/malformed requests that elicit memory address responses.
  • The information disclosed is memory layout data enabling ASLR bypass; exploitation has been detected in the wild on both latest and older software releases — treat any successful exploitation as a precursor to follow-on RCE.
  • ·Exploitation requires prior authentication to the SMB server — unauthenticated SMB exposure alone is not sufficient; attacker must hold valid credentials.
  • ·CVE-2019-0703 is distinct from CVE-2019-0704 and CVE-2019-0821, which are separate Windows SMB Information Disclosure vulnerabilities patched in the same cycle; ensure all three are addressed.
  • ·The vulnerability was used as a 0-day info leak component within the UPSynergy exploit chain (combining EternalRomance-equivalent + this info leak) to extend targeting to Windows versions beyond Windows 7; patching SMBv1 alone may not be sufficient if SMB is exposed.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck6.5MEDIUM
cisa6.5MEDIUM
vendor_msrc6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.