Vulnerability in the HTTP protocol stack related to remote code execution available
Microsoft has a critical vulnerability in “http.sys” closed. The vulnerability is also known under the CVE number “CVE-2022-21907”, currently there is no catchy name for the vulnerability.
Dr. Johannes Ullrich, Head of Research at the SANS Technology Institute and Founder of the Internet Storm Center
It is a widely used module for web servers in Windows. Microsoft describes the vulnerability as vulnerable to Internet Worms and recommends that patches for this vulnerability be installed as a priority. Most of the newer versions of Windows are affected.
Dr. Johannes Ullrich is Head of Research at the SANS Technology Institute and founder of the Internet Storm Center (https://isc.sans.edu / ), which provides free analytics and alerts to thousands of Internet users and organizations.
In a short Q&A, Dr. Ullrich answers basic questions about the vulnerability CVE-2022-21907.
1. When will the vulnerability be exploited?
This is currently uncertain. According to Microsoft, exploitability is currently “more likely”. I recommend patching the vulnerability this week.
2. Which versions are affected?
The note from Microsoft is worded a bit strangely. At this time, I take from the note: the vulnerable code was introduced in Windows Server 2019 and Windows 10 version 1809. However, in these versions of Windows, a registry key was set by default, which disabled the function. All later versions are inherently vulnerable.
3. Am I vulnerable if I have not activated Internet Information Server (IIS)?
May. It is not an IIS vulnerability, but a vulnerability in http.sys. The web server http.sys is probably best described as the central HTTP engine in IIS. But other software that uses http.using sys and possibly exploiting the vulnerability, http resets.for example, WinRM (Windows Remote Management) and WSDAPI (Web Services for Devices).
4. What can an attacker do with this vulnerability?
Microsoft has http.implemented sys as a kernel-mode driver. In other words: the execution of code via http.sys can lead to a complete compromise of the system. However, previous vulnerabilities (for example, CVE-2021-31166) were never fully exploited, since various techniques were used to mitigate exploitation, and the released POCs could only cause a denial of service. The CVSS 3.1 baseline score for the vulnerability is 9.8 out of 10.
5. Can a Web Application Firewall help?
Probably yes. It could be started (at your own risk) to block requests with trailers. Perhaps these should be logged first to see if they are being used lawfully. The web application firewall providers provide details on this.
6. Has there been a similarly serious security vulnerability in the past?
In 2015, CVE-2015-1635 (MS15-34) was similar. For those who still remember this vulnerability, their knowledge about it could now be useful. However, this range header vulnerability has never been particularly severe.
7. What are these “trailers” about anyway?
Trailers are defined in RFC7230. They only make sense if “Transfer-Encoding: chunked” is used. With chunked encoding, the body of a request or response is transmitted in small chunks. Each chunk is preceded by a length in bytes. The idea behind it is that when sending a message, it is not known how long it will be. In addition, with chunked encoding, the sender can postpone the transmission of headers until the transmission of the main part. These become “trailers”.