HTTP Stack Remote Code Execution Vulnerability (CVE-2022-21907) Alert

HTTP Stack Remote Code Execution Vulnerability (CVE-2022-21907) Alert

January 28, 2022 | Jie Ji

Overview

On January 12, NSFOCUS CERT detected that Microsoft released a monthly security update, which fixed an HTTP protocol stack remote code execution vulnerability (CVE-2022-21907). A buffer overflow can occur due to a boundary error in the HTTP Trailer Support feature in the HTTP stack (HTTP.sys). An unauthenticated attacker can execute arbitrary code on a target system by sending specially crafted HTTP packets to a web server. The vulnerability is suggested by Microsoft as “wormable” and can self-propagate through the network without user interaction, with a CVSS score of 9.8. At present, the PoC that can lead to the BSoD of the target host has been disclosed, and relevant users are requested to take measures to protect it as soon as possible.

The Windows HTTP stack (HTTP.sys) is a kernel driver for processing HTTP requests in the Windows operating system, commonly used in communication between web browsers and web servers, as well as in Internet Information Services (IIS).

We successfully reproduced for the first time:

Reference link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907

Scope of Impact

Affected Version

  • Windows Server 2019 (Server Core installation)
  • Windows Server 2019
  • Windows 10 Version 21H2 for ARM64-based Systems
  • Windows 10 Version 21H2 for 32-bit Systems
  • Windows 11 for ARM64-based Systems
  • Windows 11 for x64-based Systems
  • Windows Server, version 20H2 (Server Core Installation)
  • Windows 10 Version 20H2 for ARM64-based Systems
  • Windows 10 Version 20H2 for 32-bit Systems
  • Windows 10 Version 20H2 for x64-based Systems
  • Windows Server 2022 (Server Core installation)
  • Windows Server 2022
  • Windows 10 Version 21H1 for 32-bit Systems
  • Windows 10 Version 21H1 for ARM64-based Systems
  • Windows 10 Version 21H1 for x64-based Systems
  • Windows 10 Version 21H2 for x64-based Systems
  • Windows 10 Version 1809 for ARM64-based Systems
  • Windows 10 Version 1809 for x64-based Systems
  • Windows 10 Version 1809 for 32-bit Systems

Attention

  • Windows 10 version 1909 (unaffected)
  • Windows Server 2019 (Default configuration is not affected)
  • Windows 10 version 1809 (Default configuration is not affected)

Mitigation

Patch update

At present, Microsoft has officially released a security patch to fix this vulnerability for supported product versions. It is strongly recommended that affected users install the patch as soon as possible for protection. The official download link:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907

Note: Due to network problems, computer environment problems, etc., the patch update of Windows Update may fail. After installing the patch, the user should promptly check whether the patch is successfully updated.

Right-click the Windows icon, select “Settings (N)”, select “Update and Security” – “Windows Update”, and view the prompt information on this page. You can also click “View Update History” to view the historical update status.

For updates that are not successfully installed, you can click the update name to jump to the official Microsoft download page. It is recommended that users click the link on this page and go to the “Microsoft Update Catalog” website to download and install the independent package.

Temporary mitigation

If users using Windows Server 2019 and Windows 10 version 1809 are temporarily unable to install the patch, the following measures can be used for temporary mitigation:

Deleting “EnableTrailerSupport” in the DWORD registry protects against this vulnerability, the path for “EnableTrailerSupport” is: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

Note: The above versions are only affected by this vulnerability when the user has enabled HTTP Trailer Support through the EnableTrailerSupport registry value, and the default configuration is not affected by this vulnerability.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.