Getty Images/iStockphoto

Critical, “Wormable” Microsoft Vulnerability Could Lead to Cyberattacks

The Microsoft HTTP Protocol Stack RCE vulnerability is “wormable,” meaning no human interaction is required for the cyberattack to spread.

Microsoft released its January 2022 security updates, containing dozens of vulnerability patches, some of which were rated as “critical” and could lead to cyberattacks if not patched immediately.

One vulnerability, CVE-2022-21907, involves a remote code execution (RCE) flaw in the HTTP Protocol Stack. The vulnerability may be enabled in Windows server 2022, 20H2 core, and various Windows 10 and Windows 11 versions. The http.sys vulnerability is “wormable,” meaning that it does not require human interaction to spread its attack surface to another vulnerable Windows server.

“In Windows Server 2019 and Windows 10 version 1809, the HTTP Trailer Support feature that contains the vulnerability is not active by default,” Microsoft noted. A specific registry key must be configured to introduce the vulnerable condition.

 "In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets," the notice continued.

Microsoft recommended that organizations prioritize patching immediately. Johannes Ullrich, dean of research for SANS Technology Institute and co-founder of the Internet Storm Center, also urged organizations to patch this week.

“Microsoft implemented http.sys as a kernel-mode driver. In other words: Running code via http.sys can lead to a complete system compromise,” Ullrich noted in an email to HealthITSecurity.

“However, past vulnerabilities (for example, CVE-2021-31166) were never fully exploited as several techniques were used to mitigate exploitation, and PoCs released were only able to cause a denial of service. The CVSS 3.1 base score for the vulnerability is 9.8 out of 10.”

Ullrich said that web application firewalls could help mitigate risk. Currently, Microsoft rates the exploitability of the vulnerability as “exploitation more likely,” but there is currently no exploit available.

Microsoft also alerted organizations to another critical RCE vulnerability in Microsoft Exchange, CVE-2022-21846. However, this vulnerability requires the victim and attacker to share the same network and is not exploitable across the internet.

Next Steps

Dig Deeper on Cybersecurity strategies