Microsoft has patched a critical flaw tagged as wormable and found to impact the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022.
The bug, tracked as CVE-2022-21907 and patched during this month’s Patch Tuesday, was discovered in the HTTP Protocol Stack (HTTP.sys) used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) webserver.
Successful exploitation requires threat actors to send maliciously crafted packets to targeted Windows servers, which use the vulnerable HTTP Protocol Stack for processing packets.
Microsoft recommends users prioritize patching this flaw on all affected servers since it could allow unauthenticated attackers to remotely execute arbitrary code in low complexity attacks and “in most situations,” without requiring user interaction.
Mitigation available (for some Windows versions)
Luckily, the flaw is not currently under active exploitation and there are no publicly disclosed proof of concept exploits.
Furthermore, on some Windows versions (i.e., Windows Server 2019 and Windows 10 version 1809), the HTTP Trailer Support feature containing the bug is not enabled by default.
According to Microsoft, the following Windows registry key has to be configured on these two Windows versions to introduce the vulnerability:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\
"EnableTrailerSupport"=dword:00000001Disabling the HTTP Trailer Support feature will protect systems running the two versions, but this mitigation does not apply to other impacted Windows releases.
Potential targets likely safe from attacks
While home users are yet to apply today’s security updates, most companies will likely be protected from CVE-2022-21907 exploits, given that they don’t commonly run the latest released Windows versions.
In the last two years, Microsoft has patched several other wormable bugs, impacting the Windows DNS Server (also known as SIGRed), the Remote Desktop Services (RDS) platform (aka BlueKeep), and the Server Message Block v3 protocol (aka SMBGhost).
Redmond also addressed another Windows HTTP RCE vulnerability in May 2021 (tracked as CVE-2021-31166 and also tagged as wormable), for which security researchers released demo exploit code that could trigger blue screens of death.
However, threat actors are yet to exploit them to create wormable malware capable of spreading between vulnerable systems running vulnerable Windows software.
Read more CyberSecurity news articles
2,559 total views, 2 views today
I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated...
I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK.
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Luxembourgish
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sudanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu
2 thoughts on “MS: New Critical Windows HTTP Vulnerability Is Wormable”