Attackers can exploit a wormable vulnerability in the HTTP Protocol Stack of the Windows IIS server to compromise WinRM (Windows Remote Management) service on unpatched Windows 10 and Server systems. Microsoft says the bug can be abused in remote code execution (RCE) attacks.
Only versions 2004 and 20H2 of Windows 10 and Windows Server are impacted by the vulnerability. Microsoft has already patched this critical vulnerability tracked as CVE-2021-31166 as a part of the May Patch Tuesday, but many servers remain unpatched.
Microsoft urges network administrators to prioritize patching affected servers and warns that the vulnerability could allow unauthenticated attackers remote code execution “in most situations.”
Security researcher Axel Souchet has recently published a proof-of-concept exploit that can be used to trigger blue screens of death on unpatched systems by sending maliciously crafted packets.
The vulnerable HTTP Protocol Stack (HTTP.sys) is used in the Windows IIS web server for processing HTTP requests.
Another security researcher Jim DeVries discovered that the bug also impacts Windows 10 and Server devices running the WinRM service, a component of the Windows Hardware Management that relies on the vulnerable HTTP.sys.
Researchers emphasize that enterprise Windows Server endpoints are more vulnerable to these attacks as they have WinRM toggled on by default.
“[CVE-2021-31166] is commonly used in corporate environments. It’s enabled by default on servers,” DeVries told BleepingComputer.
“I don’t think this is a big risk for home PCs but, should someone marry this to a worm and ransomware, it could run wild in corporate environments.”
CERT/CC vulnerability analyst Will Dormann has confirmed DeVries’ findings. Dormann says he successfully crashed a Windows system using the Souchet’s DoS exploit.
According to Dormann, over 2 million Windows systems currently online are exposing the vulnerable WinRM service.
Luckily, only a subset of these Internet-exposed Windows systems run on versions 2004 and 20H2. The impact should further be limited by the fact that most home users have probably updated their systems last week.