cbcvebase.
CVE-2019-1372
published 2019-10-10

CVE-2019-1372: An remote code execution vulnerability exists when Azure App Service/ Antares on Azure Stack fails to check the length of a buffer prior to copying memory to…

PriorityP272critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
17.83%
96.8th percentile
An remote code execution vulnerability exists when Azure App Service/ Antares on Azure Stack fails to check the length of a buffer prior to copying memory to it.An attacker who successfully exploited this vulnerability could allow an unprivileged function run by the user to execute code in the context of NT AUTHORITY\system thereby escaping the Sandbox.The security update addresses the vulnerability by ensuring that Azure App Service sanitizes user inputs., aka 'Azure App Service Remote Code Execution Vulnerability'.

Affected

4 ranges
VendorProductVersion rangeFixed in
microsoftazure_app_service_on_azure_stack< 1.71.7
microsoftazure_app_service_on_azure_stack
msrcazure_app_service_on_azure_stack
msrcwindows_azure_pack_web_sites_v2

Detection & IOCsextracted from sources · hover to see the quote

processw3wp.exe
filenameDWASInterop.dll
filenameRsFilter.sys
filenameRsHelper.dll
  • Alert on DWASSVC (the Azure App Service worker management service) crashing or spawning unexpected child processes, as a successful exploit causes DWASSVC to crash and can lead to code execution as NT AUTHORITY\SYSTEM.
  • ·The vulnerability exists specifically in Azure App Service on Azure Stack (code-named Antares); it affects the DWASSVC service via the named pipe IPC mechanism in DWASInterop.dll. The flaw is a missing buffer-length check before a memory copy in IPM_MESSAGE_PIPE::MessagePipeCompletion.
  • ·Microsoft confirmed the vulnerability was present and exploitable on both Azure Cloud and Azure Stack environments.
  • ·As of the October 2019 Patch Tuesday disclosure, Microsoft rated exploitation as 'Less Likely' for both latest and older software releases, and there is no evidence of in-the-wild exploitation.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_msrc10.0CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.