マMicrosoft has announced the release of a patch for a critical vulnerability tagged as worminess that was found to affect the latest desktop and server Windows versions, including Windows 11 and Windows Server 2022.
In many cases, an unauthenticated attacker can send specially crafted packets to a target server that uses the HTTP protocol stack (http.sys) to process the packets.
This bug was tracked as CVE-2022-21907 and patched in this month’s Patch Tuesday.
To exploit this vulnerability, an attacker would need to send maliciously crafted packets to a target Windows server that uses a vulnerable HTTP protocol stack for packet handling.
Microsoft recommends that customers prioritize patching all affected servers because the flaw could allow an unauthenticated attacker to remotely execute arbitrary code in low complexity attacks “in most circumstances” without requiring user interaction.
We recommend that customers apply the patch to all affected servers on a priority basis.
Remedy (some versions of Windows)
Fortunately, this flaw is not currently being actively exploited, and there are no publicly available proof-of-concept exploits.
In addition, some Windows versions (such as Windows Server 2019 and Windows 10 version 1809) do not have the HTTP Trailer Support feature enabled by default, including this bug.
In Windows Server 2019 and Windows 10 version 1809, the HTTP Trailer Support feature containing this vulnerability is inactive by default. The following registry key must be set in order to introduce the vulnerability.
Disabling the HTTP Trailer Support feature will protect systems running these two versions, but this mitigation does not apply to other affected Windows releases.
Potential targets are likely to be safe from attack
Most enterprises are likely to be protected from the CVE-2022-21907 exploit because they generally do not run the latest released version of Windows.
Over the past two years, Microsoft has patched several other worminess bugs affecting the Windows DNS server (aka SIGRed), the Remote Desktop Services (RDS) platform (aka BlueKeep), and the Server Message Block v3 protocol (aka SMBGhost). We have patched several other worminess bugs affecting the Remote Desktop Service (RDS) platform (aka BlueKeep) and the Server Message Block v3 protocol (aka SMBGhost).
In May 2021, we also addressed a vulnerability in Windows HTTP RCE (tracked as CVE-2021-31166 and tagged as wormable), and security researchers have released demo exploit code that triggers a blue screen of death.
Translated with www.DeepL.com/Translator (free version)