CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability
by CIRT Team
CVE Base Score: 9.8 CRITICAL (CVSS:3.1)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v3.1 Severity and Metrics
Base Score: 9.8 CRITICAL
Impact Score: 5.9
Exploitability Score: 3.9
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Integrity (I): High
Availability (A): High
CVE Released: Jan 11, 2022, Last updated: Jan 12, 2022
This vulnerability concerns the HTTP stack (http.sys) used in listening to process HTTP requests on IIS (Internet Information Services) servers. It is patched on the last “Patch Tuesday” of January 2022. In practice, sending a specifically crafted packet allows remote code execution (RCE) by unauthenticated users. The level of complexity is low and requires little or no user interaction.
According to the latest announcement issued by the Microsoft Security Response Center, Microsoft has fixed high-severity vulnerabilities in Windows Server and Windows 10/11 in the latest cumulative update. This vulnerability is numbered CVE-2022-21907, and it is currently known that this vulnerability can be exploited by sending specially crafted packets to exploit the HTTP protocol stack to launch an attack. In view of the high harm of this vulnerability, Microsoft has not released detailed instructions and proof of concept. It is estimated that Microsoft will not release the information until most companies have completed the repair.
Attacker’s ability with this vulnerability:
This vulnerability enables an intruder to run code via http.sys can lead to a complete system compromise.
• Windows Server, version 20H2 (Server Core Installation)
• Windows Server 2022 (Server Core installation)
• Windows Server 2022
• Windows Server 2019 (Server Core installation)
• Windows Server 2019
• Windows 11 for x64-based Systems
• Windows 11 for ARM64-based Systems
• Windows 10 Version 21H2 for x64-based Systems
• Windows 10 Version 21H2 for ARM64-based Systems
• Windows 10 Version 21H2 for 32-bit Systems
• Windows 10 Version 21H1 for x64-based Systems
• Windows 10 Version 21H1 for ARM64-based Systems
• Windows 10 Version 21H1 for 32-bit Systems
• Windows 10 Version 20H2 for x64-based Systems
• Windows 10 Version 20H2 for ARM64-based Systems
• Windows 10 Version 20H2 for 32-bit Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows 10 Version 1809 for ARM64-based Systems
• Windows 10 Version 1809 for 32-bit Systems
• Lack of KB4598481 KB5003173 KB5000736 windows system patch or the system iso is before 2021-05.
Windows Server 2019 and Windows 10 version 1809 are not vulnerable by default. Unless you have enabled the HTTP Trailer Support via EnableTrailerSupport registry value, the systems are not vulnerable.
Delete the DWORD registry value “EnableTrailerSupport” if present under:
This mitigation only applies to Windows Server 2019 and Windows 10, version 1809 and does not apply to the Windows 20H2 and newer.
To Check the registry value in powershell:
“Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\HTTP\Parameters" | Select-Object EnableTrailerSupport”
To check quick list of processes using http.sys, please use:
netsh http show servicestate
Published: 26 January 2022, 17:07:48 BST
26 Oct 2023 - Security Advisories & Alerts