CVE-2024-20655 - OpenCVE

Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Windows Server 2012 Windows Server 2022 23h2 Windows Server 2022 Windows Server 2016 Windows Server 2019 Windows Server 2008

Configuration 1 [-]

OR	cpe:2.3:o:microsoft:windows_server_2008:-:sp2:::::x64:*
	cpe:2.3:o:microsoft:windows_server_2008:-:sp2:::::x86:*
	cpe:2.3:o:microsoft:windows_server_2012:-:::::::*
	cpe:2.3:o:microsoft:windows_server_2012:r2:::::::*
	cpe:2.3:o:microsoft:windows_server_2016:-:::::::*
	cpe:2.3:o:microsoft:windows_server_2019:-:::::::*
	cpe:2.3:o:microsoft:windows_server_2022:-:::::::*
	cpe:2.3:o:microsoft:windows_server_2022_23h2:-:::::::*

References

Link	Resource
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20655	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: microsoft

Published: 2024-01-09T17:57:01.236Z

Updated: 2024-06-11T14:54:28.599Z

Reserved: 2023-11-28T22:58:12.114Z

Link: CVE-2024-20655

JSON object: View

NVD Information

Status : Modified

Published: 2024-01-09T18:15:48.307

Modified: 2024-05-29T00:15:11.797

Link: CVE-2024-20655

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-20655", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2023-11-28T22:58:12.114Z", "datePublished": "2024-01-09T17:57:01.236Z", "dateUpdated": "2024-06-11T14:54:28.599Z"}, "containers": {"cna": {"title": "Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability", "datePublic": "2024-01-09T08:00:00+00:00", "affected": [{"vendor": "Microsoft", "product": "Windows Server 2019", "cpes": ["cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.5329:*:*:*:*:*:*:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "10.0.0", "lessThan": "10.0.17763.5329", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2019 (Server Core installation)", "cpes": ["cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.5329:*:*:*:*:*:*:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "10.0.0", "lessThan": "10.0.17763.5329", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2022", "cpes": ["cpe:2.3:o:microsoft:windows_server_2022:10.0.20348.2227:*:*:*:*:*:*:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "10.0.0", "lessThan": "10.0.20348.2227", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2022, 23H2 Edition (Server Core installation)", "cpes": ["cpe:2.3:o:microsoft:windows_server_23h2:10.0.25398.643:*:*:*:*:*:*:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "10.0.0", "lessThan": "10.0.25398.643", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2016", "cpes": ["cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.6614:*:*:*:*:*:*:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "10.0.0", "lessThan": "10.0.14393.6614", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2016 (Server Core installation)", "cpes": ["cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.6614:*:*:*:*:*:*:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "10.0.0", "lessThan": "10.0.14393.6614", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2008 Service Pack 2", "cpes": ["cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.22464:*:*:*:*:*:x64:*"], "platforms": ["32-bit Systems"], "versions": [{"version": "6.0.0", "lessThan": "6.0.6003.22464", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2008 Service Pack 2 (Server Core installation)", "cpes": ["cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.22464:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.22464:*:*:*:*:*:x86:*"], "platforms": ["32-bit Systems", "x64-based Systems"], "versions": [{"version": "6.0.0", "lessThan": "6.0.6003.22464", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2008 Service Pack 2", "cpes": ["cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.22464:*:*:*:*:*:x86:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "6.0.0", "lessThan": "6.0.6003.22464", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2008 R2 Service Pack 1", "cpes": ["cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.26910:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "6.1.0", "lessThan": "6.1.7601.26910", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", "cpes": ["cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.26910:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "6.0.0", "lessThan": "6.1.7601.26910", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2012", "cpes": ["cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.24664:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "6.2.0", "lessThan": "6.2.9200.24664", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2012 (Server Core installation)", "cpes": ["cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.24664:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "6.2.0", "lessThan": "6.2.9200.24664", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2012 R2", "cpes": ["cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.21765:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "6.3.0", "lessThan": "6.3.9600.21765", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2012 R2 (Server Core installation)", "cpes": ["cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.21765:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "6.3.0", "lessThan": "6.3.9600.21765", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-416: Use After Free", "lang": "en-US", "type": "CWE", "cweId": "CWE-416"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-06-11T14:54:28.599Z"}, "references": [{"name": "Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability", "tags": ["vendor-advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20655"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*", "matchCriteriaId": "2127D10C-B6F3-4C1D-B9AA-5D78513CC996", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*", "matchCriteriaId": "AB425562-C0A0-452E-AABE-F70522F15E1A", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "matchCriteriaId": "A7DF96F8-BA6A-4780-9CA3-F719B3F81074", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "matchCriteriaId": "DB18C4CE-5917-401E-ACF7-2747084FD36E", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "matchCriteriaId": "041FF8BA-0B12-4A1F-B4BF-9C4F33B7C1E7", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "matchCriteriaId": "DB79EE26-FC32-417D-A49C-A1A63165A968", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*", "matchCriteriaId": "821614DD-37DD-44E2-A8A4-FE8D23A33C3C", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:-:*:*:*:*:*:*:*", "matchCriteriaId": "75CCACE6-A0EE-4A6F-BD5A-7AA504B02717", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability"}, {"lang": "es", "value": "Vulnerabilidad de ejecuci\u00f3n remota de c\u00f3digo de Online Certificate Status Protocol (OCSP) de Microsoft"}], "id": "CVE-2024-20655", "lastModified": "2024-05-29T00:15:11.797", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2024-01-09T18:15:48.307", "references": [{"source": "secure@microsoft.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20655"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-416"}], "source": "secure@microsoft.com", "type": "Secondary"}]}