CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability

CVE Summary
CVE Base Score: 9.8 CRITICAL (CVSS:3.1)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v3.1 Severity and Metrics
Base Score: 9.8 CRITICAL
Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 3.9
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope(S): Unchanged
Confidentiality(C): High
Integrity (I): High
Availability (A): High

CVE Released: Jan 11, 2022, Last updated: Jan 12, 2022

Description:
This vulnerability concerns the HTTP stack (http.sys) used in listening to process HTTP requests on IIS (Internet Information Services) servers. It is patched on the last “Patch Tuesday” of January 2022. In practice, sending a specifically crafted packet allows remote code execution (RCE) by unauthenticated users. The level of complexity is low and requires little or no user interaction.


According to the latest announcement issued by the Microsoft Security Response Center, Microsoft has fixed high-severity vulnerabilities in Windows Server and Windows 10/11 in the latest cumulative update. This vulnerability is numbered CVE-2022-21907, and it is currently known that this vulnerability can be exploited by sending specially crafted packets to exploit the HTTP protocol stack to launch an attack. In view of the high harm of this vulnerability, Microsoft has not released detailed instructions and proof of concept. It is estimated that Microsoft will not release the information until most companies have completed the repair.


Attacker’s ability with this vulnerability:
This vulnerability enables an intruder to run code via http.sys can lead to a complete system compromise.

Affected Versions:
• Windows Server, version 20H2 (Server Core Installation)
• Windows Server 2022 (Server Core installation)
• Windows Server 2022
• Windows Server 2019 (Server Core installation)
• Windows Server 2019
• Windows 11 for x64-based Systems
• Windows 11 for ARM64-based Systems
• Windows 10 Version 21H2 for x64-based Systems
• Windows 10 Version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for 32-bit Systems
• Windows 10 Version 21H1 for x64-based Systems
• Windows 10 Version 21H1 for ARM64-based Systems
• Windows 10 Version 21H1 for 32-bit Systems
• Windows 10 Version 20H2 for x64-based Systems
• Windows 10 Version 20H2 for ARM64-based Systems
• Windows 10 Version 20H2 for 32-bit Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows 10 Version 1809 for ARM64-based Systems
• Windows 10 Version 1809 for 32-bit Systems
• Lack of KB4598481 KB5003173 KB5000736 windows system patch or the system iso is before 2021-05.

Mitigation:
Windows Server 2019 and Windows 10 version 1809 are not vulnerable by default. Unless you have enabled the HTTP Trailer Support via EnableTrailerSupport registry value, the systems are not vulnerable.
Delete the DWORD registry value “EnableTrailerSupport” if present under:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

This mitigation only applies to Windows Server 2019 and Windows 10, version 1809 and does not apply to the Windows 20H2 and newer.
To Check the registry value in powershell:
“Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\HTTP\Parameters" | Select-Object EnableTrailerSupport”
To check quick list of processes using http.sys, please use:
netsh http show servicestate


References:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21907
https://isc.sans.edu/diary/A+Quick+CVE-2022-21907+FAQ/28234

Published: 26 January 2022, 17:07:48 BST

Share