Microsoft has corrected a severe wormable weakness that affects the newest Windows desktop and server versions, including Windows 11 and Windows Server 2022. The flaw was identified in the HTTP Protocol Stack (HTTP.sys), which is used as a protocol listener for processing HTTP requests by the Windows Internet Information Services (IIS) webserver. It was tagged as CVE-2022-21907.
For successful exploitation, threat actors must deliver deliberately generated packets to targeted Windows servers, which employ the vulnerable HTTP Protocol Stack to process packets. Microsoft advises users to fix this issue on all affected servers as soon as possible because it might allow unauthenticated attackers to remotely execute arbitrary code in “most circumstances” without any user involvement.
Fortunately, the weakness isn’t being actively exploited right now, and there are no publicly reported proof-of-concept attacks. Furthermore, the HTTP Trailer Support functionality containing the problem is disabled by default on some Windows versions (e.g., Windows Server 2019 and Windows 10 version 1809).
As per Microsoft, to create the vulnerability, the following Windows registry entry must be set on these two Windows versions:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\”EnableTrailerSupport”=dword:00000001
Disabling HTTP Trailer Support will protect computers running the two versions, but it will not protect systems running other affected Windows releases. While most residential users have yet to install today’s security patches, most businesses will be safe from CVE-2022-21907 attacks since they don’t typically use the most recent Windows versions.
Microsoft has addressed numerous additional wormable issues in the previous two years, including those affecting the Windows DNS Server (aka SIGRed), the Remote Desktop Services (RDS) platform (also known as BlueKeep), and the Server Message Block v3 protocol (aka SMBGhost).
Another Windows HTTP RCE vulnerability (recorded as CVE-2021-31166 and similarly classified as wormable) was patched by Redmond in May 2021. Security researchers provided demo exploit code that might cause blue screens of death. On the other hand, threat actors have yet to use them to construct wormable malware that can propagate across susceptible devices running vulnerable Windows software.