Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Newsroom
    • Events
  • Search
  • Ready to Talk?
×

New Research Report: Security Leaders' Top Challenges & Priorities for 2023

Read Now
01.20.22

Customer Advisory | Exploit Code Released for CVE-2022-21907: Critical Windows HTTP Vulnerability

By Deepwatch, 

January 20, 2022
Prepared by Deepwatch Threat Intel Team

Key Points:

  • A recently disclosed remote code execution (RCE) vulnerability in Windows HTTP protocol stack, tracked as CVE-2022-21907, has had proof-of-concept exploit code publicly released. Some versions of the Windows Operating System are not susceptible to this vulnerability, depending on the configuration.
  • An unauthenticated threat actor could send a specially crafted packet to a system that utilizes the vulnerable driver “http.sys” which could lead to a complete system compromise or cause a denial-of-service condition.
  • Deepwatch Threat Intel Team assesses with moderate confidence that threat actors will attempt to exploit this vulnerability due to exploit code being released coupled with a wide attack surface that is Internet-facing. Therefore, the Threat Intel Team recommends customers work with their vulnerability management team to conduct vulnerability scans against internet-facing systems so this threat can be identified and patched as soon as possible.

Summary

A remotely exploitable vulnerability in Windows HTTP protocol stack, tracked as CVE-2022-21907, could be used to deploy a worm and has become even more severe with the publication of proof-of-concept exploit code on GitHub.

The vulnerability can be found in a long list of Microsoft products, including Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022, and presents a clear risk to organizations running vulnerable releases. The attack complexity is relatively low, requires no user interaction, and can be exploited with one malicious packet from an unauthenticated user. When Microsoft released its advisory on Jan. 11, it warned that the flaw could lead to a network worm.

Which versions are affected?

  • Windows Server 2019 
    • Only vulnerable if HTTP trailer support is enabled via the EnableTrailerSupport registry value.
  • Windows Server, version 20H2
  • Windows Server 2022
  • Windows 10 Version 1809
    • Only vulnerable if HTTP trailer support is enabled via the EnableTrailerSupport registry value.
  • Windows 10 Versions 20H2, 21H1,  and 21H2
  • Windows 11

Not affected:

  • Windows 10, Version 1909

Microsoft’s advisory states that “In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. Microsoft recommends prioritizing the patching of affected servers.”

In an analysis of the vulnerability, Johannes Ullrich of the SANS Institute said, “Microsoft implemented http.sys as a kernel-mode driver. In other words: Running code via http.sys can lead to a complete system compromise. However, past vulnerabilities (for example, CVE-2021-31166) were never fully exploited as several techniques were used to mitigate exploitation, and PoCs released were only able to cause a denial of service.”

“This is NOT an IIS vulnerability, but a vulnerability in http.sys. http.sys is probably best described as the core HTTP/.Net engine used by IIS and other software. But other software using http.sys and possibly exposing the vulnerability: WinRM (Windows Remote Management), WSDAPI (Web Services for Devices) for example, expose http.sys.”

Deepwatch Threat Intelligence Outlook

Deepwatch Threat Intel Team assesses with moderate confidence that threat actors will attempt to exploit this vulnerability due to exploit code being released coupled with a wide, internet-facing attack surface. Therefore, the Threat Intel Team recommends customers work with their vulnerability management team to conduct vulnerability scans against internet-facing systems so this threat can be identified and patched as soon as possible. In addition, for customers running Windows Server 2019 and Windows 10 version 1809 with HTTP Trailer Support enabled via EnableTrailerSupport registry value, Microsoft provides mitigation guidance and recommends deleting the DWORD registry value “EnableTrailerSupport” if present under:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

Subscribe to the Deepwatch Insights Blog

Post navigation

Previous post

Significant Cyber Event | Log4j Zero-day With Proof-of-Concept Code and Active Scanning Gets Security Fix

Next post

Customer Advisory | PwnKit: Exploit Released for Polkit’s pkexec Component

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Managed Extended Detection Response (MXDR)
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2023 Deepwatch incorporated

Trust | Sitemap | Privacy Policy