|Applies To||All RSA Products|
|Issue||HTTP.sys Remote Code Execution Vulnerability - CVE-2015-1635|
A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploits this vulnerability could execute arbitrary code in the context of the System account.
To exploit this vulnerability, an attacker would have to send a specially crafted HTTP request to the affected system. The update addresses the vulnerability by modifying how the Windows HTTP stack handles requests.
See Microsoft Security Bulletin MS15-034 at: https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
RSA is aware of and investigating this issue to identify the product impact. The level of impact may vary depending on the affected product. The following table contains the latest available impact information. This table will be updated as additional information becomes available.
Customers running affected Windows operating systems are encouraged to apply security updates from Microsoft. Please refer to Microsoft Security Bulletin MS15-034 for guidance. For Windows based appliances provided by RSA, please review the list below for impact status and remediation steps if applicable.
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC distributes RSA Security Advisories, in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.