CVE-2019-5096
published 2019-12-03CVE-2019-5096: An exploitable code execution vulnerability exists in the processing of multi-part/form-data requests within the base GoAhead web server application in…
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
66.98%
99.2th percentile
An exploitable code execution vulnerability exists in the processing of multi-part/form-data requests within the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to a use-after-free condition during the processing of this request that can be used to corrupt heap structures that could lead to full code execution. The request can be unauthenticated in the form of GET or POST requests, and does not require the requested resource to exist on the server.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| embedthis | goahead | — | — |
| embedthis | goahead | — | — |
| embedthis | goahead | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
51331
snort↗
51332
- →Detect exploitation attempts targeting multi-part/form-data HTTP requests (GET or POST) against GoAhead web server; requests do not require authentication and do not require the target resource to exist on the server. ↗
- →Focus detection on specially crafted multi-part/form-data HTTP requests that trigger a use-after-free condition in GoAhead; heap corruption leading to code execution is the expected outcome. ↗
- →Apply Snort rules 51331 and 51332 (available via Firepower Management Center or Snort.org) to detect exploitation attempts; note rules may be updated as additional vulnerability information becomes available. ↗
- ·Affected GoAhead versions are v5.0.1, v4.1.1, and v3.6.5; detection and patching should target these specific versions across all embedded deployments. ↗
- ·No known public exploits specifically target CVE-2019-5096 at time of CISA advisory publication, but the vulnerability is remotely exploitable with low attack complexity (CVSS v3 9.8). ↗
- ·Multiple Rockwell Automation ICS products embed the vulnerable GoAhead version; firmware versions are product-specific and must be checked individually against the affected firmware list. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Rockwell Automation products using GoAhead Web Server
cisa_ics·2023-01-26·CVSS 9.8
[CRITICAL] Rockwell Automation products using GoAhead Web Server
ICS Advisory
##
Rockwell Automation products using GoAhead Web Server
Last RevisedJanuary 26, 2023
Alert CodeICSA-23-026-06
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Rockwell Automation
- Equipment: Products using GoAhead Web Server
- Vulnerabilities: Infinite Loop, Use after Free
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could have a high impact on the confidentiality, integrity, and availability of the vulnerable devices.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
Rockwell Automation reports the following products use a version of GoAhead web server vulnerable to both CVE-2019-5096 and CVE-2019-5097:
- 1732E-8CFGM8R/A: firmware version 1.012
- 1732E-IF4M1
GHSA
GHSA-xcxv-6fr5-34fm: An exploitable code execution vulnerability exists in the processing of multi-part/form-data requests within the base GoAhead web server application i
ghsa_unreviewed·2022-05-24
CVE-2019-5096 [CRITICAL] CWE-416 GHSA-xcxv-6fr5-34fm: An exploitable code execution vulnerability exists in the processing of multi-part/form-data requests within the base GoAhead web server application i
An exploitable code execution vulnerability exists in the processing of multi-part/form-data requests within the base GoAhead web server application in versions v5.0.1, v.4.1.1 and v3.6.5. A specially crafted HTTP request can lead to a use-after-free condition during the processing of this request that can be used to corrupt heap structures that could lead to full code execution. The request can be unauthenticated in the form of GET or POST requests, and does not require the requested resource to exist on the server.
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: Two vulnerabilities in EmbedThis GoAhead
blogs_talos·2019-12-02·CVSS 9.8
[CRITICAL] Vulnerability Spotlight: Two vulnerabilities in EmbedThis GoAhead
A Cisco Talos researcher discovered these vulnerabilities. Blog by Jon Munshaw.
EmbedThis’ GoAhead Web Server contains two vulnerabilities that both arise when the software attempts to process a multi-part/form-data HTTP request. An attacker could exploit these vulnerabilities to remotely execute code on the victim machine, or cause a denial-of-service condition.
GoAhead Web Server is a popular embedded web server designed to be a fully customizable web application framework and server for embedded devices. It provides all the base HTTP server functionality and provides a highly customizable platform for developers of embedded web applications.
In accordance with our coordinated disclosure policy, Cisco Talos worked with EmbedThis to ensure that these issues are resolved and that an upd
arXiv
Fat Pointers for Temporal Memory Safety of C
arxiv_fulltext·2023-03-20
Fat Pointers for Temporal Memory Safety of C
[Fat Pointers for Temporal Memory Safety of C]
Fat Pointers for Temporal Memory Safety of C
First1 Last1
with author1 note
nnnn-nnnn-nnnn-nnnn
Position1
Department1
Institution1
Street1 Address1
City1
State1
Post-Code1
Country1
[email protected]
First2 Last2
with author2 note
nnnn-nnnn-nnnn-nnnn
Position2a
Department2a
Institution2a
Street2a Address2a
City2a
State2a
Post-Code2a
Country2a
[email protected]
Position2b
Department2b
Institution2b
Street3b Address2b
City2b
State2b
Post-Code2b
Country2b
[email protected]
## Abstract
Temporal memory safety bugs, especially use-after-free and double free bugs,
pose a major security threat to C programs. Real-world exploits utilizing
these bugs enable
attackers to read and write arbitrary memory locations, causing disas
2019-12-03
Published