Expert Weighs In: Dissecting the HTTP.SYS vulnerability - CVE-2022-21907

Yesterday, Microsoft patched a critical vulnerability in http.sys. The vulnerability is also know by its CVE number CVE-2022-21907. Currently, there is no "catchy" name for it.

This is a widely used module for anything in Windows that acts as a web server.


Microsoft describes the vulnerability as "wormable" and suggests prioritizing patching for it. Most recent versions of Windows are affected.


Dr. Johannes Ullrich, Dean of Research for SANS Technology Institute, and founder of the Internet Storm Center dissected the vulnerability and why it's so dangerous for organizations, should they not patch.




When will an exploit be available for CVE-2022-21907?


Who knows. Microsoft rates the exploitability as "Exploitation More Likely." I suggest you patch this week.

Which versions are affected?


Microsoft's advisory is a bit oddly worded. But at this point, my best read of it is: The vulnerable code was introduced in Windows Server 2019 and Windows 10 version 1809. But these versions of Windows had a registry key set by default disabling the feature. All later versions are vulnerable "out of the box." For Windows Server 2019 and Windows 10 Version 1809, the "HKLM:\System\CurrentControlSet\Services\HTTP\Parameter\EnableTrailerSupport" is set to 0 by default disabling trailers

Am I vulnerable if I do not have IIS enabled?


Possibly. This is NOT an IIS vulnerability, but a vulnerability in http.sys. http.sys is probably best described as the core HTTP engine inside IIS. But other software using http.sys and possibly exposing the vulnerability: WinRM (Windows Remote Management), WSDAPI (Web Services for Devices) for example, expose http.sys.

What is an attacker able to do with this vulnerability?


Microsoft implemented http.sys as a kernel-mode driver. In other words: Running code via http.sys can lead to a complete system compromise. However, past vulnerabilities (for example, CVE-2021-31166) were never fully exploited as several techniques were used to mitigate exploitation, and PoCs released were only able to cause a denial of service. The CVSS 3.1 base score for the vulnerability is 9.8 out of 10.

Does a web application firewall (WAF) help?


Likely yes. You could start (at your own risk) to block requests with trailers. Maybe log them first to see if you see legitimate uses (let us know what uses them and how). For details, ask your web app firewall vendor.


Has there been anything like this vulnerability in the past that was just as severe?


In 2015, we had a similar fire drill for CVE-2015-1635 (MS15-34). Maybe you kept notes? They will come in handy now. This Range header vulnerability never amounted to much.

What are these Trailers about anyway?


Trailers are defined in RFC7230. They only make sense if "Transfer-Encoding: chunked" is used. With chunked encoding, the body of a request or response is transmitted in small chunks. A length precedes each chunk in bytes. The idea behind this is that you may not know how long it will be as you start sending a message. In addition, chunked encoding does allow the sender to delay sending headers until the body is sent. These become "trailers."

Will we go to Infocon Yellow again?


Once we see exploitation of this vulnerability.


###