A critical vulnerability in the Windows HTTP Protocol Stack presents a remote code execution (RCE) risk and could be “wormable”, Microsoft warns.
The vulnerability (tracked as CVE-2022-21907) stems from flaws in http.sys, a component of Windows that processes HTTP requests. Microsoft issued a patch to defend against the vulnerability yesterday (January 12) as part of the January edition of its regular, monthly Patch Tuesday updates.
Satnam Narang, staff research engineer at Tenable, commented: “To exploit this vulnerability, a remote, unauthenticated attacker could send a specially crafted request to a vulnerable server using the HTTP Protocol Stack.
“Microsoft warns that this vulnerability is wormable, meaning no human interaction would be required for an attack to spread from system to system.”
Danny Kim, principal architect at Virsec, added: “CVE-2022-21907 is a particularly dangerous CVE because of its ability to allow for an attack to affect an entire intranet once the attack succeeds. Microsoft has stated that this vulnerability is ‘wormable’ and should be patched immediately.”
A blog post by the SANS Institute’s Internet Storm Center explains that the problem arises from coding flaws in the HTTP trailers feature.
The HTTP trailer support feature allows a sender to include additional fields in a message, a feature it turns out can be manipulated through a specially crafted message to run attacks.
Other flaws
The first Patch Tuesday in 2022 includes remediation for 126 CVEs, nine of which are rated critical.
The batch includes patches for three RCE vulnerabilities in Microsoft Exchange Server (CVE-2022-21846, CVE-2022-21969, CVE-2022-21855).
One of these flaws, CVE-2022-21846, was reported to Microsoft by the US National Security Agency
Although the flaw is not exploitable across the internet, and requires the victim and the attacker to share the same network, “an insider or attacker with a foothold in the target network could use this bug to take over the Exchange server,” a blog post by Trend Micro’s Zero Day Initiative warns.
The patch batch also includes an update for the open source cURL software, including a fix for an RCE vulnerability (CVE-2021-22947) that was originally disclosed last September.
