Synology DSM HTTP/2 settings flood vulnerabilit
Reporter | Title | Published | Views | Family All 195 |
---|---|---|---|---|
F5 Networks | K50233772 : HTTP/2 Settings Flood vulnerability CVE-2019-9515 | 20 Aug 201900:00 | – | f5 |
OSV | CVE-2019-9515 | 13 Aug 201921:15 | – | osv |
OSV | HTTP/2 DoS Attacks: Ping, Reset, and Settings Floods | 14 Mar 202222:45 | – | osv |
OSV | Red Hat Security Advisory: skydive security update | 20 Sep 202413:54 | – | osv |
OSV | h2o - security update | 24 Aug 201900:00 | – | osv |
OSV | netty vulnerabilities | 29 Jun 202119:18 | – | osv |
OSV | trafficserver - security update | 9 Sep 201900:00 | – | osv |
OSV | Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.2.5 on RHEL 7 security update | 20 Sep 202413:54 | – | osv |
OSV | Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.2.5 on RHEL 8 security update | 20 Sep 202413:54 | – | osv |
OSV | Red Hat Security Advisory: Red Hat Single Sign-On 7.3.5 security update on RHEL 8 | 20 Sep 202413:55 | – | osv |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(502392);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/10/02");
script_cve_id("CVE-2019-9515");
script_xref(name:"CEA-ID", value:"CEA-2019-0643");
script_name(english:"Synology DSM HTTP/2 Implementations Allocation of Resources Without Limits or Throttling (CVE-2019-9515)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"Some HTTP/2 implementations are vulnerable to a settings flood,
potentially leading to a denial of service. The attacker sends a
stream of SETTINGS frames to the peer. Since the RFC requires that the
peer reply with one acknowledgement per SETTINGS frame, an empty
SETTINGS frame is almost equivalent in behavior to a ping. Depending
on how efficiently this data is queued, this can consume excess CPU,
memory, or both.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
# http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a5b121dc");
# http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c747aef2");
script_set_attribute(attribute:"see_also", value:"http://seclists.org/fulldisclosure/2019/Aug/16");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:2766");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:2796");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:2861");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:2925");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:2939");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:2955");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:3892");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:4018");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:4019");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:4020");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:4021");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:4040");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:4041");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:4042");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:4045");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2019:4352");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:0727");
# https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5ca4073f");
script_set_attribute(attribute:"see_also", value:"https://kb.cert.org/vuls/id/605641/");
script_set_attribute(attribute:"see_also", value:"https://kc.mcafee.com/corporate/index?page=content&id=SB10296");
# https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?513ffb26");
# https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?63c4552c");
# https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?48e130b0");
# https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?226a37e0");
# https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e3e14cbd");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2019/Aug/24");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2019/Aug/43");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2019/Sep/18");
script_set_attribute(attribute:"see_also", value:"https://security.netapp.com/advisory/ntap-20190823-0005/");
script_set_attribute(attribute:"see_also", value:"https://support.f5.com/csp/article/K50233772");
# https://support.f5.com/csp/article/K50233772?utm_source=f5support&%3Butm_medium=RSS
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a487d7af");
script_set_attribute(attribute:"see_also", value:"https://usn.ubuntu.com/4308-1/");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4508");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4520");
script_set_attribute(attribute:"see_also", value:"https://www.synology.com/security/advisory/Synology_SA_19_33");
script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9515");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(400, 770);
script_set_attribute(attribute:"vuln_publication_date", value:"2019/08/13");
script_set_attribute(attribute:"patch_publication_date", value:"2019/08/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/10/01");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:synology:diskstation_manager:6.2");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Synology");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Synology');
var asset = tenable_ot::assets::get(vendor:'Synology');
var vuln_cpes = {
"cpe:/a:synology:diskstation_manager:6.2" :
{"versionEndExcluding" : "6.2.2-24922-4", "versionStartIncluding" : "6.2", "family" : "DiskStation"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo