Microsoft Patches a Critical HTTP RCE Wormable Bug – Advises Prioritizing This Patch
The Windows maker delivered this year's first batch of security updates to Windows 11, Windows 10, Microsoft Edge, Office, and other products. In total, Microsoft released patches for 96 bugs, some of them rated critical. One of these includes an HTTP Protocol Stack Remote Code Execution vulnerability, tracked as CVE-2022-21907, which the company has said is wormable.
"In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets," Microsoft said. No special privileges or user interaction is required, which means it's very likely to be exploited.
"While this is definitely more server-centric, remember that Windows clients can also run http.sys, so all affected versions are affected by this bug," ZDI said in its report. Microsoft has recommended that users prioritize patching this security vulnerability on all affected servers since it could allow unauthenticated attackers to remotely execute arbitrary code.
Microsoft: HTTP bug isn't under active exploitation
While it's a wormable bug, CVE-2022-21907 isn't under active exploitation as yet. This gives users time to deploy patches to avoid exploitation. Microsoft has also shared the following mitigation:
In Windows Server 2019 and Windows 10 version 1809, the the HTTP Trailer Support feature that contains the vulnerability is not active by default. The following registry key must be configured to introduce the vulnerable condition:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\"EnableTrailerSupport"=dword:00000001
Microsoft notes that this mitigation doesn't apply to all the affected versions. The complete list of affected versions and associated security updates is available over in this Knowledge Base document.