If you do postpone, you might want to read this one. Many employee’s in the organisation are using the old unpatched server, because of the blue screen error, system restart & update time. Because of this, the hacker use this opportunity to take the system control by using http protocol stack remote code execution vulnerability.
When HTTP Protocol Stack (Http.sys) handles objects in memory in the wrong way, a remote code execution vulnerability exists. If an attacker was able to take advantage of this vulnerability, they could run any code on the system and take control of it. Most of the time, an unauthenticated attacker could take advantage of the vulnerability by sending a specially made packet to a targeted Http.sys server.
This vulnerability is fixed by the security update, which fixes how HTTP Protocol Stack (Http.sys) handles objects in memory.
Step 1: What versions of Windows are affected?
Microsoft put out a Security Update on January 11, 2022, to fix an RCE vulnerability (CVE-2022-21907) in http.sys.
Microsoft says that this problem affects the following versions of Windows:
“Windows 10 Version 1809 for 32-bit Systems”
“Windows 10 Version 1809 for x64-based Systems”
“Windows 10 Version 1809 for ARM64-based Systems”
“Windows 10 Version 21H1 for 32-bit Systems”
“Windows 10 Version 21H1 for x64-based System”
“Windows 10 Version 21H1 for ARM64-based Systems”
“Windows 10 Version 20H2 for 32-bit Systems”
“Windows 10 Version 20H2 for x64-based Systems”
“Windows 10 Version 20H2 for ARM64-based Systems”
“Windows 10 Version 21H2 for 32-bit Systems”
“Windows 10 Version 21H2 for x64-based Systems”
“Windows 10 Version 21H2 for ARM64-based Systems”
“Windows 11 for x64-based Systems”
“Windows 11 for ARM64-based Systems”
“Windows Server 2019”
“Windows Server 2022”
This is a long list! What’s more, they say that its exploitation is likely, as “an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.”
All the software that uses the non-patched http.sys to handle HTTP protocol is vulnerable.Internet Information Services is a piece of software that uses the driver http.sys as its back end (IIS).
This means that the target is vulnerable if the Windows system where the IIS server is running was not patched.
Step 2: What an attacker might do if they exploit this flaw?
Microsoft implemented http.sys as a kernel-mode driver. In other words, running code through http.sys can compromise the whole system. But past vulnerabilities, like CVE-2021-31166, were never fully used because there were ways to stop that from happening, and proofs of concept could only cause a denial of service. The vulnerability has a CVSS 3.1 base score of 9.8 out of 10.
Step 3: Am I at risk if I don't have IIS enabled?
Possibly.This is NOT a weakness in IIS. It is a weakness in http.sys.
IIS and other frameworks use http.sys, which is best thought of as the core HTTP/.Net engine. But other software that use http.sys may expose the vulnerability. For example, WinRM (Windows Remote Management) and WSDAPI (Web Services for Devices) use http.sys and may do so. Try for a quick list of process that use the http.sys file:
netsh http show servicestate
Step 4: Does a web application Firewall help?
Likely yes. You could start blocking requests with trailers (at your own risk).
Maybe log them down first to see if they are being used in a good way "let us know what uses them and how". Ask your web app firewall provider for more information.
Does Patch update matters?
At the moment, Microsoft has officially put out a security patch for supported product versions to fix this problem. Users who are at risk should install the patch as soon as possible to protect themselves. The official download link:
Note: The Windows Update patch update may fail because of problems with the network, the computer environment, etc. After installing the patch, the user should check right away to see if it was done correctly.
Right-click the Windows icon, choose "Settings (N)", then choose "Update and Security" – "Windows Update" and read the information on this page.
You can also click "View Update History" to see the updates that have happened in the past.
If an update doesn't install correctly, you can search on its update name to go to the official Microsoft download page. The independent package can be downloaded and installed from the "Microsoft Update Catalog" website.
What are the Temporary mitigation steps?
Temporary steps can be taken if Windows Server 2019 and Windows 10 version 1809 customers are unable to download and install the patch.
Deleting “EnableTrailerSupport” in the DWORD registry protects against this vulnerability, the path for “EnableTrailerSupport” is: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
Note: This vulnerability only affects the above versions if the user has turned on HTTP Trailer Support using the EnableTrailerSupport registry value. This flaw doesn't affect the way things are set up by default.
To summarise, This is a very easy vulnerability to exploit. Web servers running a vulnerable version of IIS could be easily attacked by a remote attacker who didn't need to log in. Even though remote code execution exploits aren't known yet, they could come out in the future. Administrators should apply the patch. If they can't do that right away, they could disable IIS kernel caching as a workaround.