This live blog contains information regarding vulnerabilities in the HTTP Protocol Stack Vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog.
Update January 12, 2022
14:00 | During the January patch Tuesday Microsoft released patches for 96 new vulnerabilities. The most severe vulnerability is a remote code execution vulnerability in http.sys, registered as CVE-2022-21907. This vulnerability allows an unauthenticated attacker to execute code on an affected system by sending a specially crafted request or response.
We advise to check if your products are listed and apply the required patches or workaround as soon as possible.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
During the January patch Tuesday Microsoft released patches for 96 new vulnerabilities. The most severe vulnerability is a remote code execution vulnerability in http.sys, registered as CVE-2022-21907. This vulnerability has a CVSS-score of 9.8. The CVSS scale runs from 0 to 10. A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact. The CVE-2022-21907 vulnerability is a remote code execution vulnerability and allows an unauthenticated remote attacker to execute code on the affected system. The vulnerability exists in the HTTP Trailer Support feature of http.sys. Be aware that http.sys is not only used as a server component, but also clients make use of http.sys. Clients connecting to a rogue webserver can also be exploited.
The vulnerability allows a remote unauthenticated attacker to directly construct malicious requests or responses to trigger remote code execution. Since the vulnerability is wormable, it has the ability to move lateral from public exposed systems to internal facing systems. Additionally, as this is both a client and a server vulnerability, an infected internal client can infect other systems.
Of the currently maintained Windows versions, the following versions are vulnerable:
- Windows 10
- Windows 10 version 1809 – The HTTP Trailer Support feature is disabled by default.
- Windows 11
- Windows Server 2019 – The HTTP Trailer Support feature is disabled by default.
- Windows Server 2022
- Windows Server 20H2
Microsoft published a patch on the 11th of January 2022. It is strongly advised applying this patch as soon as possible.
As a workaround, the registry key HKLM:\System\CurrentControlSet\Services\HTTP\Parameter\EnableTrailerSupport can be set to 0, disabling the HTTP Trailer Support feature. For Windows Server 2019 and Windows 10 version 1809, the HTTP Trailer Support feature is normally not active, as this registry key is set to 0 by default.
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.