John Layden January 12, 2022 15:20 UTC
Updated: 12 Jan 2022 15:56 UTC
‘Worm’ flaw in HTTP stack draws attention
A critical vulnerability in the Windows HTTP stack poses a remote code execution (RCE) risk and could be “wormable,” Microsoft has warned.
The vulnerability (tracked as CVE-2022-21907) stems from a bug in http.sys, the Windows component that handles HTTP requests. Microsoft released a patch yesterday (January 12) to defend against the vulnerability as part of the January release of its regular monthly Patch Tuesday update.
Satnam Narang, Research Engineer at Tenable commented: “To exploit this vulnerability, an unauthenticated remote attacker could use the HTTP protocol stack to send a specially crafted request to the vulnerable server.
“Microsoft warns that this vulnerability is wormable, which means that no human intervention is required for an attack to propagate from one system to another.”
Catch up on the latest Microsoft related news and analysis
Danny Kim, Principal Architect at Virsec, added: “CVE-2022-21907 is a particularly dangerous CVE because, once successful, it allows the attack to affect the entire intranet. Microsoft has stated that this vulnerability is ‘wormable’, It should be repaired immediately.”
One blog post The SANS Institute’s Internet Storm Center explained that the problem was caused by a coding flaw in the HTTP trailer feature.
The HTTP tail support feature, which allows senders to include additional fields in the message, has proven to be able to be manipulated with specially crafted messages to run attacks.
other defects
The first Patch Tuesday of 2022 includes fixes to 126 CVEs, 9 of which are rated critical.
This batch includes patches for three RCE vulnerabilities (CVE-2022-21846, CVE-2022-21969, CVE-2022-21855) in Microsoft Exchange Server.
One of these flaws, CVE-2022-21846, reported to Microsoft by the NSA
admired VMware Horizon Under Attack, Chinese Ransomware Group Targets Log4j Vulnerability
Although the vulnerability cannot be exploited over the Internet and requires the victim and attacker to share the same network, “an insider or attacker with a foothold in the target network could exploit this vulnerability to take over Exchange servers,” a blog post Trend Micro’s zero-day initiative warns.
The patch batch also includes updates to the open-source cURL software, including a fix for the RCE vulnerability (CVE-2021-22947), which is initial disclosure last September.
you might also like Firefox fixes full-screen notification bypass vulnerability that could lead to convincing phishing campaigns
