Multiple vulnerabilities in Microsoft Windows Hyper-V

Published: 2019-12-10

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2019-1470 CVE-2019-1471
CWE-ID	CWE-20
Exploitation vector	Local network
Public exploit	N/A
Vulnerable software Subscribe	Windows Operating systems & Components / Operating system Windows Server Operating systems & Components / Operating system
Vendor	Microsoft

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU23499

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-1470

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied input. A remote authenticated usre of a guest operating system can use specially crafted program to send request to the host operating system and disclose memory of the host OS.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 7 - 10 1903

Windows Server: 2008 - 2019 1903

CPE2.3

cpe:2.3:o:microsoft:windows:10:1803:*:*:*:*:*:*

External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1470

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Input validation error

EUVDB-ID: #VU23501

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-1471

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote authenticated user on a guest operating system can run a specially crafted application that sends requests to the host operating system and execute arbitrary code on the host operating system.