- Microsoft's Patch Tuesday included a fix for CVE-2022-21907, a critical HTTP Protocol Stack (http.sys) remote code execution vulnerability. While malicious actors have not exploited the vulnerability yet, Microsoft said exploitation is "more likely."
- The vulnerability is wormable, so an attacker does not need to interact with a user or privileged access to infect a system. "In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets," the company said.
- While not vulnerable by default, the security alert includes Windows Server 2019 and Windows 10 version 1809. Windows 10 version 1909 is not impacted. With a CVSS of 9.8, Microsoft is recommending organizations prioritize the patch for affected servers.
CVE-2022-21907 echoes CVE-2015-1635, which impacted Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2. Through the remote code execution vulnerability, attackers could leverage specially crafted HTTP requests.
The complexity of an attack using CVE-2022-21907 is relatively low, which heightens the severity of the vulnerability.
While the vulnerability is for servers, Windows users who run http.sys are also impacted. If an attacker can run code using http.sys, organizations can face broad system compromise, according to Johannes Ullrich, the dean of research for SANS Technology Institute and founder of the Internet Storm Center, in an emailed statement to Cybersecurity Dive.
By disabling the HTTP Trailer Support feature, the two versions will be protected. Windows Server 2019 and Windows 10 version 1809 "had a registry key set by default disabling the feature. All later versions are vulnerable 'out of the box,'" Ullrich said.
Web application firewalls will likely help block requests with trailers, Ullrich said. He recommends companies "log them first to see if you see legitimate uses."
If a company has internet information services (IIS) disabled for Windows Server, it might be safe from the vulnerability. However, Ullrich warns "a vulnerability in http.sys. is probably best described as the core HTTP engine inside IIS."
Other software, including Windows Remote Management and Web Services for Devices, run http.sys, which could expose CVE-2022-21907.