Microsoft: New critical Windows HTTP vulnerability is wormable
Reading Time: 1 Minute
Microsoft has patched a critical flaw tagged as wormable and found to impact the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022.
The bug, tracked as CVE-2022-21907 and patched during this month’s Patch Tuesday, was discovered in the HTTP Protocol Stack (HTTP.sys) used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) web server.
Successful exploitation requires threat actors to send maliciously crafted packets to targeted Windows servers, which use the vulnerable HTTP Protocol Stack for processing packets.
Microsoft recommends users prioritize patching this flaw on all affected servers since it could allow unauthenticated attackers to remotely execute arbitrary code in low complexity attacks and “in most situations,” without requiring user interaction.
Mitigation available (for some Windows versions)
Luckily, the flaw is not currently under active exploitation and there are no publicly disclosed proof of concept exploits.
Furthermore, on some Windows versions (i.e., Windows Server 2019 and Windows 10 version 1809), the HTTP Trailer Support feature containing the bug is not enabled by default.
According to Microsoft, the following Windows registry key has to be configured on these two Windows versions to introduce the vulnerability:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\
"EnableTrailerSupport"=dword:00000001Disabling the HTTP Trailer Support feature will protect systems running the two versions, but this mitigation does not apply to other impacted Windows releases.
Potential targets likely safe from attacks
While home users are yet to apply today’s security updates, most companies will likely be protected from CVE-2022-21907 exploits, given that they don’t commonly run the latest released Windows versions.
In the last two years, Microsoft has patched several other wormable bugs, impacting the Windows DNS Server (also known as SIGRed), the Remote Desktop Services (RDS) platform (aka BlueKeep), and the Server Message Block v3 protocol (aka SMBGhost).
Redmond also addressed another Windows HTTP RCE vulnerability in May 2021 (tracked as CVE-2021-31166 and also tagged as wormable), for which security researchers released demo exploit code that could trigger blue screens of death.
See Also: Offensive Security Tool: Osmedeus
However, threat actors are yet to exploit them to create wormable malware capable of spreading between vulnerable systems running vulnerable Windows software.
See Also: Hacking stories – Rafael Núñez (aka RaFa), hacking NASA with the hacking group: World of Hell
Source: www.bleepingcomputer.com
(Click Link)
Recent News
Glove Stealer Malware Evades Chrome’s App-Bound Encryption to Target Cookies
New RustyAttr Trojan Evades macOS Security Using Hidden Metadata
GoIssue: Sophisticated Phishing Tool Targets GitHub Developer Credentials
New Ymir Ransomware Launches In-Memory Attacks Post-RustyStealer Infections
North Korean Hackers Deploy MacOS Malware with Unseen Stealth to Hijack Crypto Firms
Winos4.0 Malware Framework Uses Gaming Apps to Infiltrate Windows Systems
CRON#TRAP Phishing Attack: A Linux VM Backdoor Hides Inside Windows Systems
New Interlock Ransomware Exploits FreeBSD servers, Demanding Huge Ransoms
New Version of iOS Spyware LightSpy Adds Device-Disabling Capabilities
Opera Browser ‘CrossBarking’ Vulnerability Could Enable Full Access to Private APIs
