Synology DSM HTTP/2 Implementations Allocation of Resources Without Limits or Throttling (CVE-2019-9516)

medium Tenable OT Security Plugin ID 502411

Synopsis

The remote OT asset is affected by a vulnerability.

Description

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

Refer to the vendor advisory.

See Also

http://www.nessus.org/u?a5b121dc

http://www.nessus.org/u?c747aef2

http://www.nessus.org/u?b87b2fef

http://www.nessus.org/u?0c75a914

http://seclists.org/fulldisclosure/2019/Aug/16

https://access.redhat.com/errata/RHSA-2019:2745

https://access.redhat.com/errata/RHSA-2019:2746

https://access.redhat.com/errata/RHSA-2019:2775

https://access.redhat.com/errata/RHSA-2019:2799

https://access.redhat.com/errata/RHSA-2019:2925

https://access.redhat.com/errata/RHSA-2019:2939

https://access.redhat.com/errata/RHSA-2019:2946

https://access.redhat.com/errata/RHSA-2019:2950

https://access.redhat.com/errata/RHSA-2019:2955

https://access.redhat.com/errata/RHSA-2019:2966

https://access.redhat.com/errata/RHSA-2019:3932

https://access.redhat.com/errata/RHSA-2019:3933

https://access.redhat.com/errata/RHSA-2019:3935

http://www.nessus.org/u?5ca4073f

https://kb.cert.org/vuls/id/605641/

https://kc.mcafee.com/corporate/index?page=content&id=SB10296

http://www.nessus.org/u?226a37e0

http://www.nessus.org/u?d0d41817

http://www.nessus.org/u?e3e14cbd

http://www.nessus.org/u?aaea6620

http://www.nessus.org/u?eedfd23f

http://www.nessus.org/u?ffb73998

http://www.nessus.org/u?855995a0

https://seclists.org/bugtraq/2019/Aug/24

https://seclists.org/bugtraq/2019/Aug/40

https://security.netapp.com/advisory/ntap-20190823-0002/

https://security.netapp.com/advisory/ntap-20190823-0005/

https://support.f5.com/csp/article/K02591030

http://www.nessus.org/u?203b5929

https://usn.ubuntu.com/4099-1/

https://www.debian.org/security/2019/dsa-4505

https://www.synology.com/security/advisory/Synology_SA_19_33

Plugin Details

Severity: Medium

ID: 502411

Version: 1.3

Type: remote

Family: Tenable.ot

Published: 10/1/2024

Updated: 10/2/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS Score Source: CVE-2019-9516

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:synology:diskstation_manager:6.2

Required KB Items: Tenable.ot/Synology

Exploit Ease: No known exploits are available

Patch Publication Date: 8/13/2019

Vulnerability Publication Date: 8/13/2019

Reference Information

CVE: CVE-2019-9516

CWE: 400, 770