CVE-2022-21907: New Wormable Vulnerability in Microsoft Windows

Included in the latest “Patch Tuesday” from Microsoft on January 11, 2022, is a fix for CVE-2022-21907 (CVSS3.1 9.8).

Per Microsoft, this is a remote code execution vulnerability in the HTTP protocol stack. Exploitation of this vulnerability requires no user interaction and is wormable. All versions of Windows 10 version 1809 and above, including Windows Server 2019 and Windows Server 2022 are vulnerable. No exploits have been seen in the wild (yet), but the likelihood of exploitation is extremely high.

Remediation

The latest cumulative patch from Microsoft fixes this vulnerability. Simply install the patch and restart the system.

If patching and restarting servers is not a viable option, there is a quickfix:

In Windows Server 2019 and Windows 10 version 1809, the HTTP Trailer Support feature that contains the vulnerability is not active by default. The following registry key must be configured to introduce the vulnerable condition:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\

   “EnableTrailerSupport”=dword:00000001

Resources

• https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907
• https://nvd.nist.gov/vuln/detail/CVE-2022-21907
• https://securityonline.info/cve-2022-21907-http-protocol-stack-remote-code-execution-vulnerability/