Skip to main content
close search
site logo
Dive Brief

Microsoft pushes patch for wormable HTTP vulnerability, exploitation undetected so far

Published Jan. 13, 2022
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Microsoft signage displayed
Jeenah Moon via Getty Images

Dive Brief:

  • Microsoft's Patch Tuesday included a fix for CVE-2022-21907, a critical HTTP Protocol Stack (http.sys) remote code execution vulnerability. While malicious actors have not exploited the vulnerability yet, Microsoft said exploitation is "more likely."
  • The vulnerability is wormable, so an attacker does not need to interact with a user or privileged access to infect a system. "In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets," the company said. 
  • While not vulnerable by default, the security alert includes Windows Server 2019 and Windows 10 version 1809. Windows 10 version 1909 is not impacted. With a CVSS of 9.8, Microsoft is recommending organizations prioritize the patch for affected servers.

Dive Insight:

CVE-2022-21907 echoes CVE-2015-1635, which impacted Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2. Through the remote code execution vulnerability, attackers could leverage specially crafted HTTP requests.  

The complexity of an attack using CVE-2022-21907 is relatively low, which heightens the severity of the vulnerability. 

While the vulnerability is for servers, Windows users who run http.sys are also impacted. If an attacker can run code using http.sys, organizations can face broad system compromise, according to Johannes Ullrich, the dean of research for SANS Technology Institute and founder of the Internet Storm Center, in an emailed statement to Cybersecurity Dive. 

By disabling the HTTP Trailer Support feature, the two versions will be protected. Windows Server 2019 and Windows 10 version 1809 "had a registry key set by default disabling the feature. All later versions are vulnerable 'out of the box,'" Ullrich said. 

Web application firewalls will likely help block requests with trailers, Ullrich said. He recommends companies "log them first to see if you see legitimate uses."

If a company has internet information services (IIS) disabled for Windows Server, it might be safe from the vulnerability. However, Ullrich warns "a vulnerability in http.sys. is probably best described as the core HTTP engine inside IIS." 

Other software, including Windows Remote Management and Web Services for Devices, run http.sys, which could expose CVE-2022-21907. 

Recommended Reading

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Whalebone Ranks Third Straight Year Among Central Europe’s 50 Fastest-Growing Companies
From Whalebone
November 25, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell