Http.Sys Remote Code Execution Vulnerability (Cve-2022–21907)
The Remote Code Execution Vulnerability (RCE) is a security vulnerability exploited by malicious users to run arbitrary code on a compromised server/computer. A remote code execution attack is typically aimed at gaining system-level privileges and administrative access to a public-facing application, giving the unauthenticated attacker visibility of the server’s stack trace and the ability to interrupt user interaction. Identified as CVE-2022–21907 HTTP vulnerability, the CVE database attributes RCE as a vulnerability with severe impacts.
This article discusses various causes, impacts, and remediation options of the CVE-2022–21907 HTTTP vulnerability.
What is CVE-2022–21907?
The Common Vulnerabilities and Exposures (CVE) database provides a reference for publicly discovered security weaknesses and vulnerabilities. The database catalogs knew cybersecurity flaws, helping DevSecOps teams coordinate their efforts to address these vulnerabilities to keep networks secure.
HTTP Protocol Stack Remote Code Execution (CVE-2022–21907) is a class of critical RCE vulnerabilities affecting applications relying on Microsoft’s Internet Information Services (IIS) component. Attacks exploiting this vulnerability target the kernel module within the HTTP.sys web server, leading to a Denial of Service (DoS) attack by freezing the OS. Besides being a DoS attack vector, the vulnerability allows malicious actors to craft a malformed request and perform remote code execution to gain elevated privileges for accessing binary files, network stack traces, and other sensitive information.
Windows versions that are known to be vulnerable to CVE-2022–21907 include:
- Version 1809 for 32-bit Systems
- Version 1809 for x64-based Systems
- Version 1809 for ARM64-based Systems
- Version 21H1 for 32-bit Systems
- Version 21H1 for x64-based System
- Version 21H1 for ARM64-based Systems
- Version 20H2 for 32-bit Systems
- Version 20H2 for x64-based Systems
- Version 20H2 for ARM64-based Systems
- Version 21H2 for 32-bit Systems
- Version 21H2 for x64-based Systems
- Version 21H2 for ARM64-based Systems
- Windows 11 for x64-based Systems
- Windows 11 for ARM64-based System
Microsoft Windows Server
- Windows Server 2019 and Core Installation
- Windows Server 2022 and Server Core Installation
- Windows Server 20H2 Server Core Installation
An attack capitalizing on the RCE vulnerability is usually preceded by an information-gathering attack, where the malicious attacker uses an automated vulnerability scanning process for attack surface discovery. The exploit involves creating scripts that deliver the arbitrary code to the target machine, with the eventual target of obtaining system-level privileges.
Remote code execution is orchestrated in several ways, including:
- Injection attacks — This form of attack takes advantage of interfaces that rely on user-provided data as input for system commands that enable attackers to inject malicious code as user-provided input deliberately. The web server then executes this command, using the attacker-controlled input as an authoritative source, granting the attacker network and system access.
- Deserialization — Web applications use serialization to combine multiple pieces of data into a single string for more accessible storage and communication. Attackers can include malformed HTTP packets within the serialized data, which the program can interpret as executable code during deserialization.
- Out-of-bounds write — Malicious actors can include attacker-controlled memory blocks that allow them to write malicious inputs outside the allowed buffers; this typically results in a complete system compromise, data corruption, or arbitrary code execution.
Impact of CVE-2022–21907
Remote code execution attacks can be performed on applications where the HTTP protocol stack improperly parses a malformed request. Once unauthenticated attackers can execute arbitrary code within the context of a system account, they can perform a wide range of functions on the target machine, including:
- Initial access — Malicious actors exploit the CVE-2022–21907 vulnerability as an entry point to target machines running a public-facing application. An RCE attack is most commonly used as a springboard to install malicious software and perform social engineering or other forms of attack.
- Denial of Service — Single instance of an attack usually results in the Windows machine restarting and functioning normally as earlier. In the event of persistent threats, the machine crashes, leading to a Denial-of-Service of the target virtual machine.
- Ransomware attacks — With system-level privileges, a malicious user can manipulate the complete System to seize all data and infrastructure resources used to run the application. Such attacks usually demand money from the target organization to restore functionalities.
- Information disclosure — A remote attacker sends malformed HTTP packets to install data-scraping software or directly run commands to obtain and send data from the affected virtual machine.
- Cryptomining — A malicious user leveraging the computational resources of the target machine to mine cryptocurrencies, eventually affecting the web server’s performance, availability, and operating costs.
The impact and severity of an attack depends on the target machine, the services it hosts, and the data it processes. The RCE vulnerability has a severity rating of critical, as it can allow for complete system compromise if left unchecked. The exploitability of the vulnerability is high since the malicious user exploits the target system by sending a basic request with specially crafted commands.
The attack is also simple to orchestrate since it does not require user interaction to communicate with the payload. In addition, an active attack is difficult to detect, making it an attractive vulnerability for storing arbitrary code as persistent threats within the application.
Although for different use cases, organizations may adopt different practices, here are some common strategies to mitigate the CVE-2022–21907 vulnerability:
- Disabling HTTP trailer header support — For Windows 10 version 1809 and Server 2019, underlying applications are only vulnerable if HTTP trailer support is enabled. Deleting the DWORD registry value EnableTrailerSupport within the machine’s HTTP parameters is one recommended approach that eliminates the vulnerability.
- Performing proper input sanitation — Most RCE attacks target deserialization and injection vulnerabilities. It is recommended to validate and encode user inputs to help break the attack routine by limiting the execution of malicious code.
- Secure memory management — Attackers usually rely on uninitialized memory to exploit vulnerabilities (such as buffer overflows) in code execution. One common remediation approach is scanning applications regularly to prevent the exploitation of these vulnerabilities by remote attackers.
Attackers can perform Remote Code Execution over a CVE-2022–21907 vulnerability by sending an HTTP request with an Accept-Encoding header. The header triggers a double-free within an unknown coding list in the http:sys protocol stack to process packets, leading to a kernel crash.
The attack is usually performed by first identifying the target machine’s IPv4 address. This is typically achieved using network scanning tools like nslookup or local host tools like ipconfig. Once the IPv4 address is obtained, the attacker configures a malformed HTTP request by leveraging one of his preferred programming languages and then triggering the request on the target machine.
Does using anti-CSRF tokens prevent CVE-2022–21907 RCE attacks?
Instead of categorically preventing CVE-2022–21907 attacks, anti-CSRF tokens prevent attackers from submitting valid external requests to the backend server. As such tokens restrict an attacker from running commands in a target host from their remote machine, anti-CSRF tokens are known to offer a rudimentary form of protection against Remote Code Execution attacks.
Is the CVE-2022–21907 RCE vulnerability wormable?
The HTTP.sys protocol remote code execution vulnerability does not require human interaction to inject an attack vector into another vulnerable Windows server. As a result, adversaries can turn the CVE-2022–21907 into a network worm that affects every connected host where the HTTP trailer support feature is enabled.
This article has already been published on https://crashtest-security.com/cve-2022-21907-http-vulnerability/ and has been authorized by Crashtest Security for a republish.