Home / About / Threat Intelligence / Dangerous Wormable Flaw Found by Microsoft (HTTP.sys)

Overview

Microsoft has patched a critical vulnerability (CVE-2022-21907) found to impact the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022.
The remote code execution (RCE) bug was found in the HTTP Protocol Stack (HTTP.sys) used for processing HTTP requests by the Windows Internet Information Services (IIS) web server.

Bugs which can be exploited remotely over a network with no interaction, like this one, are particularly dangerous as exploitation is possible without any human interaction and the process can be automated to spread very quickly.

Impact

Successful exploitation requires threat actors to send maliciously crafted packets to targeted Windows servers, which use the vulnerable HTTP Protocol Stack for processing packets.
It could allow unauthenticated attackers to remotely execute arbitrary code in low complexity attacks and without requiring user interaction (for most situations).

The flaw is not currently under active exploitation and there are no publicly disclosed proof of concept exploits.

Its wormable, meaning exploit could self-propagate through a network with no user interaction. It carries the most severe CVSS vulnerability-severity rating of the entire update, coming in at 9.8 on the 10-point scale.

Products Affected

  • Windows 10
  • Windows Server 2019
  • Windows Server 2022

Containment, Mitigations & Remediation

Patch immediately: users are recommended to prioritise patching this flaw on all affected servers.

On some Windows versions (i.e., Windows Server 2019 and Windows 10 version 1809), the HTTP Trailer Support feature containing the bug is not enabled by default.

The following Windows registry key must be configured on these two Windows versions to introduce the vulnerability:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\
“EnableTrailerSupport”=dword:00000001

Disabling the HTTP Trailer Support feature will protect systems running the two versions, but this mitigation does not apply to other impacted Windows releases.

Indicators of Compromise

There are currently no IOCs.

Threat Landscape

Some home users are yet to apply security updates, whereas most companies will likely be protected from CVE-2022-21907 exploits, given that they don’t commonly run the latest released Windows versions. In the last two years, Microsoft has patched several other wormable bugs, impacting the Windows DNS Server (also known as SIGRed), the Remote Desktop Services (RDS) platform (aka BlueKeep), and the Server Message Block v3 protocol (aka SMBGhost). Another Windows HTTP RCE vulnerability was address in May 2021 (also tagged as wormable) – security researchers released demo exploit code that could trigger blue screens of death. That said, threat actors are yet to exploit them to produce wormable malware capable of spreading between vulnerable systems running vulnerable Windows software.

Mitre Methodologies

[S0608] – Conficker
[TA0002] – Execution, Tactic

Further Information

HTTP Protocol Stack Remote Code Execution Vulnerability

Microsoft: New critical Windows HTTP vulnerability is wormable

First Patch Tuesday of 2022 Brings Fix for a Critical ‘Wormable’ Windows Vulnerability

Microsoft Faces Wormable, Critical RCE Bug & 6 Zero-Days