Think you have a false positive on this rule?

Sid 1-49333

Message

OS-WINDOWS Microsoft Windows DHCP Server remote code execution attempt

Summary

This event is generated when an attempt to exploit a vulnerability in a Windows DHCP Server is detected

Impact

High

Detailed information

There is an issue when using DHCP option 43 in Windows DHCP server that can cause an overflow in the server due to unhandled verification of data sizes and the way how the server reassembles the received data. This can cause the server to overwrite sections of memory with a maliciously crafted code and gain control over the server.

Affected systems

  • Windows Server

Ease of attack

Medium

False positives

False negatives

Corrective action

Upgrade to the latest Windows Server available version

Contributors

  • Cisco Talos Intelligence Group

Additional References

  • portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0626