Vulnerability in HTTP.sys Could Allow Remote Code Execution

Published on: 16 Apr 2015 by: Paul Stovell

It may not have a cool code name, but this is a very severe problem:

Vulnerability in HTTP.sys Could Allow Remote Code Execution

A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who successfully exploited this vulnerability could execute arbitrary code in the context of the System account.

As far as this applies to Octopus Deploy:

  1. The Octopus server/web portal uses HTTP.sys (as does IIS), therefore you'll need to ensure this patch is installed on your Octopus server
  2. The Tentacle agent software does not use HTTP.sys
  3. If you are deploying applications to IIS, or self-hosted web applications built with frameworks like Nancy SelfHost or WebAPI self host (which build on HttpListener which ultimately builds on HTTP.sys), you should patch those servers