Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
Insecure Deployment: HTTP.sys
Abstract
The target server uses a version of IIS web server software that contains a critical remote code execution vulnerability (CVE-2015-1635).
Explanation
Versions of IIS web server software use a vulnerable version of the kernel-mode HTTP protocol driver HTTP.sys. By sending an HTTP request with a malformed
Range header to a vulnerable server, an attacker can execute arbitrary code within the context of the System (administrator) user. The attacker might also use malformed requests to crash the server (rendering its services unavailable) or to expose the contents of the server's memory.References
[1] CVE-2015-1635 Mitre
[2] Microsoft Security Bulletin MS15-034 - Critical Microsoft
[3] Enable Kernel Caching (IIS 7) Microsoft
[4] Standards Mapping - Common Weakness Enumeration CWE ID 190
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [8] CWE ID 190
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [11] CWE ID 190
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [12] CWE ID 190
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [13] CWE ID 190
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [14] CWE ID 190
[10] Standards Mapping - Common Weakness Enumeration Top 25 2024 [12] CWE ID 020, [23] CWE ID 190
[11] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-002754
[12] Standards Mapping - FIPS200 SI
[13] Standards Mapping - General Data Protection Regulation (GDPR) Indirect Access to Sensitive Data
[14] Standards Mapping - NIST Special Publication 800-53 Revision 4 SI-10 Information Input Validation (P1)
[15] Standards Mapping - NIST Special Publication 800-53 Revision 5 SI-10 Information Input Validation
[16] Standards Mapping - OWASP Application Security Verification Standard 4.0 5.4.3 Memory/String/Unmanaged Code Requirements (L1 L2 L3)
[17] Standards Mapping - OWASP Mobile 2024 M2 Inadequate Supply Chain Security
[18] Standards Mapping - OWASP Top 10 2013 A9 Using Components with Known Vulnerabilities
[19] Standards Mapping - OWASP Top 10 2017 A9 Using Components with Known Vulnerabilities
[20] Standards Mapping - OWASP Top 10 2021 A06 Vulnerable and Outdated Components
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.2
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.2
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.2
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.2
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.3.3
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0.1 Requirement 6.3.3
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 10.2 - Threat and Vulnerability Management
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 10.2 - Threat and Vulnerability Management
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 10.2 - Threat and Vulnerability Management, Control Objective C.1.6 - Web Software Components & Services
[30] Standards Mapping - SANS Top 25 2010 Risky Resource Management - CWE ID 190
[31] Standards Mapping - SANS Top 25 2011 Risky Resource Management - CWE ID 190
[32] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP6050 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP6050 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP6050 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP6050 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-002560 CAT I
[37] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-002560 CAT I
[38] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-002560 CAT I
[39] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-002560 CAT I
[40] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-002560 CAT I
[41] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-002560 CAT I
[42] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-002560 CAT I
[43] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-002560 CAT I
[44] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-002560 CAT I
[45] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-002560 CAT I
[46] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-002560 CAT I
[47] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-002560 CAT I
[48] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-002560 CAT I
[49] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-002560 CAT I
[50] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-002560 CAT I
[51] Standards Mapping - Security Technical Implementation Guide Version 6.2 APSC-DV-002560 CAT I
[52] Standards Mapping - Web Application Security Consortium Version 2.00 Integer Overflows (WASC-03)
desc.dynamic.xtended_preview.insecure_deployment_http_sys