On Tuesday, January 12, 2022, Microsoft released security patches for CVE-2022-21907–a wormable remote code execution (RCE) vulnerability impacting multiple Microsoft Windows Operating Systems–and 96 additional vulnerabilities impacting their product suite.
CVE-2022-21907 is a vulnerability in Microsoft’s HTTP Protocol Stack (http.sys) that impacts the latest desktop and server versions, including Windows 11 and Windows Server 2022. The vulnerability is present if the HTTP Trailer Support feature is enabled, which is the default configuration for Windows Server 2022, 20H2 core, and various Windows 10 and 11 versions.
The feature is available, but not enabled by default in Windows Server 2019 and Windows 10 version 1809. Due to Microsoft’s implementation of http.sys as a kernel-mode driver, complete system compromise is feasible.
To exploit this vulnerability, an unauthenticated threat actor would need to send a specially crafted packet to the vulnerable server utilizing the HTTP Protocol Stack to process packets. According to Microsoft, the vulnerability has not been actively exploited in the wild and a Proof-of-Concept (PoC) exploit has not been published. We assess a PoC exploit will likely be developed in the near-term, however, it will likely be limited in functionality and may not contain worming capabilities until much later.
A similar vulnerability, CVE-2015-1635, in Microsoft’s HTTP Protocol Stack had a PoC exploit published within days of the vulnerability being disclosed. However, mass exploitation was not observed. Arctic Wolf is actively monitoring for technical details to be released surrounding CVE-2022-21907 to assist us in detecting exploitation of this vulnerability.
Other noteworthy vulnerabilities patched in the Patch Tuesday release are:
- CVE-2022-21846: A critical RCE vulnerability in Microsoft Exchange Server. The vulnerability is limited at the protocol level and cannot be exploited simply via the Internet. The threat actor would need to share the same physical network, logical network, or be within the same administrative domain to exploit this vulnerability. The vulnerability has not been actively exploited in the wild and a Proof-of-Concept (PoC) exploit has not been published.
- CVE-2021-22947: A critical RCE vulnerability in the Open Source cURL library used by Windows. A threat actor could exploit this vulnerability to conduct a Man-in-the-Middle attack. The vulnerability has not been actively exploited in the wild and a Proof-of-Concept (PoC) exploit has not been published.
This section details recommendations that Arctic Wolf suggests remediating CVE-2022-21907.
Recommendation #1: Patch Vulnerable Versions of Windows Server and Desktop
To remediate CVE-2022-21907, we recommend applying the latest security patches released by Microsoft.
Microsoft has indicated in their advisory here that specific versions are affected by this vulnerability. We recommend reviewing the table below to determine if you are running any outdated versions of this software in your environment and patch as soon as possible.
|Product||Microsoft Knowledge Base ID|
|Windows Server 2019||KB5009557|
|Windows 10 Version 21H2||KB5009543|
|Windows Server Version 20H2||KB5009543|
|Windows 10 Version 20H2||KB5009543|
|Windows Server 2022||KB5009555|
|Windows 10 Version 21H1||KB5009543|
|Windows 10 Version 21H2||KB5009543|
|Windows 10 Version 1809||KB5009557|
NOTE: The HTTP Trailer Support feature is available, but not enabled by default in Windows Server 2019 and Windows 10 version 1809. Default versions of the operating systems are not vulnerable to CVE-2022-21907.
Recommendation #2: Disable the HTTP Trailer Support feature for Windows Server 2019 and Windows 10 version 1809
Windows Server 2019 and Windows 10 version 1809 are not vulnerable by default. The HTTP Trailer Support feature must be manually enabled via configuring a specific registry key. If patching is not immediately feasible and your organization does not need support for HTTP trailers, disable the feature.
Microsoft has provided the below guidance in their update here on the Registry Key changes needed to enable HTTP Trailer support. If the registry key is not present, the HTTP Trailer Support function is not enabled.
Registry key used to enable HTTP Trailer Support:
If your organization uses Windows Server 2019 or Windows 10 Version 1809, you can check for this registry value via PowerShell. If it is set to 0, the feature is disabled.
1Get-ItemProperty “HKLM:\System\CurrentControlSet\Services\HTTP\Parameters” | Select-Object EnableTrailerSupport