Detections
Analytics
Synology DSM HTTP/2 Implementations Allocation of Resources Without Limits or Throttling (CVE-2019-9516)
medium Tenable OT Security Plugin ID 502411
Synopsis
The remote OT asset is affected by a vulnerability.Description
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
Solution
Refer to the vendor advisory.See Also
http://www.nessus.org/u?a5b121dc
http://www.nessus.org/u?c747aef2
http://www.nessus.org/u?b87b2fef
http://www.nessus.org/u?0c75a914
http://seclists.org/fulldisclosure/2019/Aug/16
https://access.redhat.com/errata/RHSA-2019:2745
https://access.redhat.com/errata/RHSA-2019:2746
https://access.redhat.com/errata/RHSA-2019:2775
https://access.redhat.com/errata/RHSA-2019:2799
https://access.redhat.com/errata/RHSA-2019:2925
https://access.redhat.com/errata/RHSA-2019:2939
https://access.redhat.com/errata/RHSA-2019:2946
https://access.redhat.com/errata/RHSA-2019:2950
https://access.redhat.com/errata/RHSA-2019:2955
https://access.redhat.com/errata/RHSA-2019:2966
https://access.redhat.com/errata/RHSA-2019:3932
https://access.redhat.com/errata/RHSA-2019:3933
https://access.redhat.com/errata/RHSA-2019:3935
http://www.nessus.org/u?5ca4073f
https://kb.cert.org/vuls/id/605641/
https://kc.mcafee.com/corporate/index?page=content&id=SB10296
http://www.nessus.org/u?226a37e0
http://www.nessus.org/u?d0d41817
http://www.nessus.org/u?e3e14cbd
http://www.nessus.org/u?aaea6620
http://www.nessus.org/u?eedfd23f
http://www.nessus.org/u?ffb73998
http://www.nessus.org/u?855995a0
https://seclists.org/bugtraq/2019/Aug/24
https://seclists.org/bugtraq/2019/Aug/40
https://security.netapp.com/advisory/ntap-20190823-0002/
https://security.netapp.com/advisory/ntap-20190823-0005/
https://support.f5.com/csp/article/K02591030
http://www.nessus.org/u?203b5929
https://usn.ubuntu.com/4099-1/
https://www.debian.org/security/2019/dsa-4505
https://www.synology.com/security/advisory/Synology_SA_19_33
Plugin Details
Severity: Medium
ID: 502411
Version: 1.3
Type: remote
Family: Tenable.ot
Published: 10/1/2024
Updated: 10/2/2024
Supported Sensors: Tenable OT Security
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5
Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C
CVSS Score Source: CVE-2019-9516
CVSS v3
Risk Factor: Medium
Base Score: 6.5
Temporal Score: 5.7
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:synology:diskstation_manager:6.2
Required KB Items: Tenable.ot/Synology
Exploit Ease: No known exploits are available
Patch Publication Date: 8/13/2019
Vulnerability Publication Date: 8/13/2019
Reference Information
CVE: CVE-2019-9516