January 20, 2022
Prepared by Deepwatch Threat Intel Team
Key Points:
- A recently disclosed remote code execution (RCE) vulnerability in Windows HTTP protocol stack, tracked as CVE-2022-21907, has had proof-of-concept exploit code publicly released. Some versions of the Windows Operating System are not susceptible to this vulnerability, depending on the configuration.
- An unauthenticated threat actor could send a specially crafted packet to a system that utilizes the vulnerable driver “http.sys” which could lead to a complete system compromise or cause a denial-of-service condition.
- Deepwatch Threat Intel Team assesses with moderate confidence that threat actors will attempt to exploit this vulnerability due to exploit code being released coupled with a wide attack surface that is Internet-facing. Therefore, the Threat Intel Team recommends customers work with their vulnerability management team to conduct vulnerability scans against internet-facing systems so this threat can be identified and patched as soon as possible.
Summary
A remotely exploitable vulnerability in Windows HTTP protocol stack, tracked as CVE-2022-21907, could be used to deploy a worm and has become even more severe with the publication of proof-of-concept exploit code on GitHub.
The vulnerability can be found in a long list of Microsoft products, including Windows 10, Windows 11, Windows Server 2019, and Windows Server 2022, and presents a clear risk to organizations running vulnerable releases. The attack complexity is relatively low, requires no user interaction, and can be exploited with one malicious packet from an unauthenticated user. When Microsoft released its advisory on Jan. 11, it warned that the flaw could lead to a network worm.
Which versions are affected?
- Windows Server 2019
- Only vulnerable if HTTP trailer support is enabled via the EnableTrailerSupport registry value.
- Windows Server, version 20H2
- Windows Server 2022
- Windows 10 Version 1809
- Only vulnerable if HTTP trailer support is enabled via the EnableTrailerSupport registry value.
- Windows 10 Versions 20H2, 21H1, and 21H2
- Windows 11
Not affected:
- Windows 10, Version 1909
Microsoft’s advisory states that “In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. Microsoft recommends prioritizing the patching of affected servers.”
In an analysis of the vulnerability, Johannes Ullrich of the SANS Institute said, “Microsoft implemented http.sys as a kernel-mode driver. In other words: Running code via http.sys can lead to a complete system compromise. However, past vulnerabilities (for example, CVE-2021-31166) were never fully exploited as several techniques were used to mitigate exploitation, and PoCs released were only able to cause a denial of service.”
“This is NOT an IIS vulnerability, but a vulnerability in http.sys. http.sys is probably best described as the core HTTP/.Net engine used by IIS and other software. But other software using http.sys and possibly exposing the vulnerability: WinRM (Windows Remote Management), WSDAPI (Web Services for Devices) for example, expose http.sys.”
Deepwatch Threat Intelligence Outlook
Deepwatch Threat Intel Team assesses with moderate confidence that threat actors will attempt to exploit this vulnerability due to exploit code being released coupled with a wide, internet-facing attack surface. Therefore, the Threat Intel Team recommends customers work with their vulnerability management team to conduct vulnerability scans against internet-facing systems so this threat can be identified and patched as soon as possible. In addition, for customers running Windows Server 2019 and Windows 10 version 1809 with HTTP Trailer Support enabled via EnableTrailerSupport registry value, Microsoft provides mitigation guidance and recommends deleting the DWORD registry value “EnableTrailerSupport” if present under:
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters |