HTTP Protocol Stack Vulnerability

During the January patch Tuesday Microsoft released patches for 96 new vulnerabilities. The most severe vulnerability is a remote code execution vulnerability in http.sys, registered as CVE-2022-21907. This vulnerability has a CVSS-score of 9.8. The CVSS scale runs from 0 to 10. A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact. The CVE-2022-21907 vulnerability is a remote code execution vulnerability and allows an unauthenticated remote attacker to execute code on the affected system. The vulnerability exists in the HTTP Trailer Support feature of http.sys. Be aware that http.sys is not only used as a server component, but also clients make use of http.sys. Clients connecting to a rogue webserver can also be exploited.

The vulnerability allows a remote unauthenticated attacker to directly construct malicious requests or responses to trigger remote code execution. Since the vulnerability is wormable, it has the ability to move lateral from public exposed systems to internal facing systems. Additionally, as this is both a client and a server vulnerability, an infected internal client can infect other systems.

Of the currently maintained Windows versions, the following versions are vulnerable:

• Windows 10
• Windows 10 version 1809 – The HTTP Trailer Support feature is disabled by default.
• Windows 11
• Windows Server 2019 – The HTTP Trailer Support feature is disabled by default.
• Windows Server 2022
• Windows Server 20H2

Microsoft published a patch on the 11^th of January 2022. It is strongly advised applying this patch as soon as possible.

As a workaround, the registry key HKLM:\System\CurrentControlSet\Services\HTTP\Parameter\EnableTrailerSupport can be set to 0, disabling the HTTP Trailer Support feature. For Windows Server 2019 and Windows 10 version 1809, the HTTP Trailer Support feature is normally not active, as this registry key is set to 0 by default.

More information:

• Microsoft CVE information
• Microsoft Patch Tuesday