In this Tech Tip, SANS Institute’s Johannes Ullrich suggests using PowerShell to identify Windows systems affected by the newly disclosed vulnerability in http.sys.
Of the nine critical vulnerabilities Microsoft fixed in January’s Patch Tuesday release, the remote code execution flaw in the HTTP Protocol Stack (CVE-2022-21907) is a doozy. It affects Windows servers and clients (anything that can run http.sys) and has a CVSS rating of 9.8 on a 10.0 scale.
This Tech Tip shares insights from Dr. Johannes B. Ullrich, the Dean of Research at SANS Technology Institute, on how IT administrators can check which systems are impacted.
The vulnerability targets the HTTP trailer support feature, which allows a sender to include additional fields in a message to supply metadata. An attacker would be able to exploit this flaw by sending a specially crafted packet to a target server using http.sys to process packets.
“Running code via http.sys can lead to a complete system compromise,” Ullrich writes on the SANS Institute’s FAQ page on the vulnerability.
Most worrying, Microsoft says the flaw is wormable, meaning human interaction is not required for an attack to spread from one vulnerable Windows box to another. Once an attacker compromises one system, it will be able to spread easily throughout the organization’s entire intranet.
Organizations are encouraged to find affected systems and deploy updates as soon as possible.
How Do I Check My System?
The flaw affects Windows 10 and Windows 11, as well as Server 2019 and Server 2022. It appears the vulnerable code was introduced in Windows Server 2019 and Windows 10 version 1809 – but disabled by default. Ullrich suggests the following PowerShell query to check the registry values to determine if the vulnerability exists on the system:
Get-ItemProperty “HKLM:\System\CurrentControlSet\Services\HTTP\Parameters” | Select-Object EnableTrailerSupport
It’s also possible that other software using http.sys could be exposing the vulnerability, including Microsoft Internet Information Service (IIS), WinRM (Windows Remote Management), and WSDAPI (Web Services for Devices). Ullrich notes that http.sys can be described “as the core HTTP engine inside IIS.” Administrators can use the netsh command to list all processes that use http.sys.
netsh http show servicestate
Do I Have to Patch Immediately?
Microsoft rates the exploitability as “Exploitation More Likely,” and recommends patching this vulnerability as soon as possible. To put things in context, when Microsoft patched a similar wormable remote code execution flaw in the HTTP Protocol Stack (CVE-2021-31166) last May, it took less than a week for proof-of-concept code to be posted online.
Despite its critical rating, the actual exploit may wind up not as damaging as it could be, cautions Ullrich. “Past vulnerabilities were never fully exploited as several techniques were used to mitigate exploitation, and PoCs released were only able to cause a denial of service,” he says. There was a “similar fire drill” for an integer overflow vulnerability affecting http.sys in IIS back in 2015, but it “never amounted to much.”
Ullrich notes that a web application firewall would be able to block requests with trailers (where the malicious code would be hidden). That could buy organizations some time as they figure out the deployment schedule. At the moment, IT teams have a window of opportunity before any PoCs or exploits are published to assess their exposure and mitigate found issues.