【安全漏洞公告】Windows HTTP.sys 權限提升漏洞(CVE-2023-23410)
一、漏洞簡介
|
CVE ID
|
CVE-2023-23410
|
公開日期
|
2023-03-21
|
|
危害級別
|
高危
|
攻擊復雜程度
|
低
|
|
POC/EXP
|
已公開
|
攻擊途徑
|
遠程網絡
|
�����
HTTP.sys是Microsoft Windows處理HTTP請求的內核驅動程序。Windows HTTP.sys中存在整數溢出漏洞,由于對ServiceName的原始輸入長度校驗錯誤,可以通過構造惡意內容來觸發該漏洞,導致權限提升或拒絕服務。
二、影響范圍
������
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
�������
Windows Server 2012 (Server Core installation)
Windows Server 2012
�������
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
�����
Windows Server 2008 R2 for x64-based Systems Service Pack 1
������
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
�����
Windows Server 2008 for x64-based Systems Service Pack 2
�������
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
�����
Windows Server 2008 for 32-bit Systems Service Pack 2
�����
Windows Server 2016 (Server Core installation)
Windows Server 2016
����
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows 10 Version 22H2 for 32-bit Systems
������
Windows 10 Version 22H2 for ARM64-based Systems
������
Windows 10 Version 22H2 for x64-based Systems
�������
Windows 11 Version 22H2 for x64-based Systems
�������
Windows 11 Version 22H2 for ARM64-based Systems
������
Windows 10 Version 21H2 for x64-based Systems
�����
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
������
Windows 11 version 21H2 for ARM64-based Systems
�������
Windows 11 version 21H2 for x64-based Systems
������
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
�����
Windows 10 Version 20H2 for x64-based Systems
�������
Windows Server 2022 (Server Core installation)
Windows Server 2022
�����
Windows Server 2019 (Server Core installation)
Windows Server 2019
�������
Windows 10 Version 1809 for ARM64-based Systems
������
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
三、解決措施
目前微軟已經發布了該漏洞的補丁,受影響用戶可及時安裝。
�����
//msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23410
四、參考鏈接
������
//msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23410
�������
//www.numencyber.com/cve-2023-23410-analysis/
