We’re just a few weeks into 2022, and we already have a new critical vulnerability to face. On the first Patch Tuesday of the year, Microsoft released the CVE-2022-21907 security update.
Without much explanation from the vendor (“HTTP Protocol Stack Remote Code Execution Vulnerability”), the vulnerability was scored with a 9.8 critical CVSS score and drew researchers’ attention. Moreover, Microsoft has marked the vulnerability as a “wormable” one and strongly recommends prioritizing the mitigation or patching process for the affected hosts.
One issue that led to this discussion is the fact that the previous Patch Tuesday round raised reports about clients suffering from broken software and bugs after updating the KBs, leading many to refrain from updating until they receive more clarity.
Here’s everything you need to know:
What is the CVE-2022-21907 vulnerability?
CVE-2022-21907 is a HTTP.sys vulnerability that could potentially lead to remote code execution on vulnerable Windows hosts.
HTTP.sys is a device driver called HTTP stack that is used as part of the Windows networking subsystem. It is used by components like ASP.NET web servers as well as other Windows services that may expose the vulnerability such as WinRM and WSDAPI. An important thing to stress is that according to the documentation, it isn’t just Windows proprietary services which could be vulnerable. Any other application code that leverages HTTP.sys functions to expose the service to the internet – even without using IIS – could potentially be impacted by this vulnerability.
The vulnerability resides in the HTTP Trailer support feature of HTTP.sys that should be used when HTTP is configured with ‘chunked’ encoding. In short, chunked encoding is the way of one HTTP peer telling another one that the next HTTP message is going to be sent in small chunks. Trailer is the way for a peer to declare, prior to the message body, about metadata fields that will be sent at the end of the message. This way the peer allows the recipient to do some preparations before processing the message body.
Does it affect me?
According to Microsoft’s advisory, the following Windows versions are vulnerable:
Windows
- 10 Version 1809 Systems
- 10 Version 20H2 Systems
- 10 Version 21H1 Systems
- 10 Version 21H2 Systems
- 11 for x64-based,ARM64-based Systems
Windows Server
- 2019
- 2019 (Core installation)
- 2022
- 2022 (Server Core installation)
- version 20H2 (Server Core Installation)
Note that Windows Server 2019 and Windows 10 version 1809 are not vulnerable by default, because HTTP Trailer support is disabled by default on these versions.
Has CVE-2022-21907 been actively exploited in the wild?
Similar to last year’s CVE-2021-31166, which raised the same problem for previous Windows versions, the only PoC that results in blue screen Denial-of-Service was seen on GitHub. Any other claims of valid exploits have not been verified by any authority yet. This actually makes sense, since this is a memory vulnerability that resides in the kernel. Due to modern kernel exploitation mitigation techniques used these days, it is less likely to be easily exploited and it might take some time to see valid exploits published by security researchers.
This is good news and gives some breathing space for mitigating the vulnerability without additional panic.
Fixing CVE-2022-21907
As we always recommend to our customers – remediate problems with your vendors’ patches.
There is a mitigation that applies to Windows Server 2019 and Windows 10 version 1809 versions in case HTTP Trailer is deliberately enabled.
Microsoft’s instruction is to delete the “EnableTrailerSupport” registry value under “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters”.
Currently, for newer versions, Microsoft’s recommendation is to install the appropriate security patch and stay up to date.
If you can’t immediately install the latest patches, another option is to completely stop the HTTP.sys functionality by disabling HTTP service via registry. But take into consideration that every service that depends on HTTP.sys functionality may break.
You can check what processes use HTTP.sys:
netsh http show servicestate
At Vulcan Cyber we work around the clock to monitor new threat intelligence indications and trends. Stay up to date with all the latest vulnerabilities with the Vulcan Remedy Cloud.