Hsinchu, Taiwan – Jan 18, 2022 – Last week, Microsoft published the “HTTP Protocol Stack Remote Code Execution Vulnerability - CVE-2022-21907” after it released a huge patch via Windows Update service. Of course, this huge patch has contained the fixes of CVE-2022-21907 already. All Microsoft Windows 10, Windows 11 and Windows Server 2019 users are strongly recommended to upgrade their Windows to the latest version because CVE-2022-21907 is a critical vulnerability.

By using CVE-2022-21907, cyber-criminals can send a specially crafted packet to the vulnerable Windows for remote code execution. Both web servers and clients will be impacted if the HTTP Protocol Stack “http.sys” is used for processing HTTP and HTTPS packets. For example, Microsoft Internet Information Services (IIS) uses “http.sys” by default.

CVE Id CVE Description CVSS v3 Score Severity Level Affected
MS-Windows Versions
CVE-2022-21907 HTTP Protocol Stack Remote Code Execution Vulnerability. 9.8 Critical Please check next table.

Note: Microsoft Windows Server 2019 and Windows 10 version 1809 are not vulnerable by default, unless you have enabled the HTTP Trailer Support via “EnableTrailerSupport” registry value.

Affected MS-Windows Versions
Microsoft Windows 10 Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for x64-based System
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 21H2 for ARM64-based Systems
Microsoft Windows 11 Windows 11 for x64-based Systems
Windows 11 for ARM64-based Systems
Microsoft Windows Server Windows Server 2019 and Core Installation
Windows Server 2022 and Server Core Installation
Windows Server 20H2 Server Core Installation

 

Technical Detail of CVE-2022-21907

CVE-2022-21907 vulnerability is inside the HTTP Trailer Support feature of Windows HTTP protocol stack - “http.sys”. The “http.sys” is a kernel module of Windows. Therefore, exploiting CVE-2022-21907 and executing code remotely via “http.sys” can lead to a complete system compromise.

In most cases, assigning the DWORD registry value “EnableTrailerSupport” of “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters” to zero can protect your Windows against CVE-2022-21907.

CVE-2022-21907 is very similiar to the CVE-2021-31166. Both of them are HTTP protocol stack remote code execution vulnerability. The CVSS score of CVE-2021-31166 is 9.8, too. It seems the vulnerabilities of “http.sys” is not fully exploited.

Maybe some people are not familiar with HTTP trailer. HTTP trailer is defined in the Section 4.4 of RFC7230 - Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing. The following example is a HTTP response in HTTP chunked encoding with HTTP trailer.

HTTP/1.1 200 OK
Date: Mon, 17 Jan 2022 09:30:30 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Trailer: Expires

29
<html><body><p>The file you requested is
5
3,400
23
bytes long and was last modified:
1d
Sat, 15 Jan 2022 21:12:00 GMT
13
.</p></body></html>
0
Expires: Sat, 22 Jan 2022 21:12:00 GMT

As you can see, the http header contains a key named “Trailer” and its value is “Expires”. In the trailer of HTTP body, there is a key named “Expires” and its value is “Sat, 22 Jan 2022 21:12:00 GMT”. HTTP trailer must be used in a HTTP chunked encoding message.

In the technical report, “Patch diffing CVE-2022–21907”, by Chris Hernandez, Microsoft’s CVE-2022-21907 patch contains five updated functions - UlFastSendHttpResponse, UlpAllocateFastTracker, UlpFastSendCompleteWorker, UlpFreeFastTracker and UlAllocateFastTrackerToLookaside.

And security researcher “nu11secur1ty” has published the CVE-2022-21907 Proof of Concept. Please check that PoC for more detail.

The following is his CVE-2022-21907 PoC demo video.

nu11secur1ty's CVE-2022-21907 PoC demo video

Lionic’s Anti-Intrusion for CVE-2022-21907 Vulnerability

With the experience of CVE-2021-31166, Lionic understood the CVE-2022-21907 vulnerability quickly and released related signature. All Lionic security technology based products can protect against CVE-2022-21907 vulnerability after their signatures are updated to the latest version.

Partial list of Anti-Intrusion rules for CVE-2022-21907 vulnerability:

Rule ID Description
8100585 Microsoft Windows HTTP Protocol Stack Remote Code Execution
8100590 Microsoft Windows HTTP Protocol Stack Remote Code Execution

 

Conclusion

Microsoft has prepared software patches before they published this CVE-2022-21907 security alert. Most people can upgrade their Windows easily via the Windows Update service. However, many factory machines and medical equipment are developed based on Windows. They are encapsulated as embedded system and usually operating in a closed network. Software upgrade is difficult for them.

In this situation, network administrators who manage those factory machines or medical equipment can use the Lionic Pico-UTM as the “Virtual Bug Fix”. One Pico-UTM protects one important machine. And then network administrators do not need to worry about whether their machines have any unsolved vulnerabilities or not. Besides the anti-virus and anti-intrusion rules for these brand new Windows vulnerabilities, Lionic also collected many old Windows vulnerabilities and designed related rules. Lionic Pico-UTM is cost effective and can provide full protection for your important equipment.

 

References:

  1. HTTP Protocol Stack Remote Code Execution Vulnerability, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907
  2. CVE-2022-21907, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21907
  3. CVE-2022-21907 Proof of Concept, https://github.com/nu11secur1ty/Windows10Exploits/blob/master/2022/CVE-2022-21907/PoC/PoC-CVE-2022-21907.py
  4. CVE-2022-21907 demo, https://www.nu11secur1ty.com/2022/01/cve-2022-21907.html
  5. Patch diffing CVE-2022–21907, https://piffd0s.medium.com/patch-diffing-cve-2022-21907-b739f4108eee
  6. CVE-2022-21907, https://attackerkb.com/topics/xlCKfuW3a8/cve-2022-21907

 

關於Lionic Corporation

Lionic Corporation是創新的「深層數據包檢測」解決方案的全球供應商。 Lionic的技術包括完整的基於DPI的軟件引擎和相關的管理軟件,這些軟件提供可解決防病毒,防入侵,防網絡威脅的「安全解決方案」。 以及「內容管理解決方案」,用於解決應用程序標識,設備標識,基於應用程序的QoS,Web內容過濾,家長控制。

Lionic的安全和內容管理解決方案,基於雲的掃描服務和簽名訂閱服務已經在世界範圍內廣泛部署, 他們幫助服務供應商,網絡設備製造商,半導體公司等,以實現下一代家用商業路由器網關,SD WAN邊緣和雲網關,高級防火牆,UTM,智慧網卡和移動設備。 那些由Lionic支持的產品可提供更好的網絡管理和保護全球網絡免受不斷增加的安全威脅。