Yesterday was the first Patch Tuesday of 2022, which fixed over 100 security holes.
As we do every month, we write an update overview on our sister site news.sophos.com: First Patch Tuesday of 2022 fixes 102 bugs.
For better or worse, one update gets more media attention than any other, i.e. CVE-2022-21907, more comprehensively called HTTP Stack Remote Code Execution Vulnerability.
The flaw is one of seven security flaws this month that could lead to remote code execution (RCE), a vulnerability that means someone outside your network can trick a computer inside your network into running a certain program without first asking for permission.
No pre-login required; no pop-up warning on the other end; no Are you sure (Y/N)? problem.
Just issue a command and the malware will run.
Anyway, that’s the theory.
RCE errors considered wormable
One thing to remember about most RCE vulnerabilities is that if you can attack someone else’s computer from the outside and instruct it to run a malicious program of your choice…
…then it’s possible, even probable, that you could tell it to run the same program you yourself used to launch the attack.
In other words, you might be able to exploit the vulnerability to target and infect Victim 1 and use a malicious program W to instruct Victim 1 to target and infect Victim 2 and use a malicious program W to instruct Victim 2 to target Victim 3… and so on, maybe even infinite.
In such an attack, we give the program W a special name: we call it insect.
A worm is a type of malware (or malicious software abbreviation) commonly referred to as computer virus, an umbrella term for any type of self-replicating malware.
This means that most RCE errors, at least in theory, are wormable, which means they could be exploited to launch a series of automated, self-propagating and self-sustaining malware infections.
The reasoning here is obvious: if the RCE error allows you to run casual Programs of your own choosing on someone else’s computer, such as pop-up CALC.EXE or start NOTEPAD, then it will almost certainly allow you to run specific A program of your choice, such as Worm.
Some bugs are more wormable than others
As you can imagine, some classes of RCE vulnerabilities are considered more vulnerable to worms than others, especially those that can be triggered directly by simple network interactions.
In the recent Log4Shell saga, this was a rather concerning risk, where a single booby-trapped network request containing some strange but otherwise innocuous ASCII text could trigger arbitrary remote code execution.
Unfortunately, CVE-2022-21907 is a bug in the same category as Microsoft’s own security bulletin In its FAQ section it clearly states the following:
*How could an attacker exploit this vulnerability?* In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (HTTP.sys) to process packets. *Is this wormable?* Yes. Microsoft recommends prioritizing the patching of affected servers.
Does this have anything to do with IIS?
where and how HTTP stack Activated?
Is this an issue unique to Windows servers, as Microsoft’s bulletin suggests when it comes to patching “affected servers”?
Whether the attack depends on whether you have a known web server such as Microsoft IIS (Internet Information Service) already installed and activated?
The answers to these questions are as follows:
- HTTP.sys is part of Windows And it works with any program that uses ASP.NET.
- HTTP.sys for Windows 7 clients Then.
- HTTP.sys for Windows 2008 R2 Server Then.
- HTTP.sys is not part of IIS, And no need to install IIS.
The last point above makes it clear that whether or not you have IIS deployed, you may have any number of applications in use — perhaps without realizing it — that provide HTTP-based interfaces through HTTP.sys.
In fact, Microsoft’s own documentation states that “HTTP.sys is very useful […] The server needs to be exposed directly to the Internet without using IIS. “
In fact, IIS is based on HTTP.sys, not the other way around, as Microsoft explains:
HTTP.sys is a mature technology that provides protection against many types of attacks and provides the robustness, security, and scalability of a full-featured web server. IIS itself runs on top of HTTP.sys as an HTTP listener.
In short: In theory, you could install an application, even on a desktop or laptop, that provides some kind of web-based interface served by the HTTP.sys driver code.
The silver lining, at least for some users, is the section in HTTP.sys that contains the CVE-2022-21907 bug:
- Affects Windows 10 and above only Desktop version.
- Only affects Windows Server 2019 and later Server version.
- Not enabled by default On Windows Server 2019.
- Can be immune to this bug Just install the January 2022 Patch Tuesday update.
As far as we know, the reason this vulnerability does not exist in earlier versions of Windows and Windows Server is that it was found in code that handles HTTP Trailers (these are similar to HTTP Headers, except they are sent after HTTP data instead of before ); HTTP Trailer support was added only after HTTP/2 support; and HTTP/2 support only arrived in the Windows 10 era.
what to do?
If you really can’t patch right away, and you know you’re not running (or at least not planning to run) any web-based software that uses HTTP.sys, you can temporarily block HTTP.sys on your computer by setting the following registry Item:
HKLMSYSTEMCurrentControlSetServiceHTTPStart = DWORD(4)
The usual value for this registry key is 3, which means “On Demand”; Change the value to 4 to mark the driver as “Service is disabled”.
After rebooting, you can check the status of HTTP.sys using the regular command prompt SC (Service Control) Command:
C:Usersduck> sc query HTTP SERVICE_NAME: HTTP TYPE : 1 KERNEL_DRIVER STATE : 1 STOPPED <--before applying the registry hack above, this line said: "4 RUNNING" WIN32_EXIT_CODE : 1077 (0x435) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:Usersduck>
Note that we have only tested this workaround in the crudest way. We installed Server 2022, enabled IIS, created a home page and verified it was working from another computer. As above, we changed the service start value for HTTP to 4, and then restarted. Our IIS server is no longer accessible. We restored the registry key to 3, restarted again and verified that IIS came back to life automatically. From this we infer that disabling the HTTP service does prevent HTTP-based networks from accessing higher-level software that might otherwise be affected by this bug, which we assume makes the vulnerability “untriggerable” temporarily.
Our main recommendations are:
- Assume that all RCE vulnerabilities are wormable. As mentioned earlier, bugs that can be triggered directly over a regular network connection are by far the greatest risk of being “wormed”, but theoretically any bug that allows arbitrary remote code execution could allow wormed code to execute.
- Assuming that cybercriminals are already actively digging this out, and all other RCE vulnerabilities have this patch released on Tuesday. You’ve probably heard the joke that Patch Tuesday is followed by exploit Wednesday. Considering that even closed-source patches are often rolled back — Reverse Engineering, in jargon – revealing the internal details of the bugs they blocked. (See point 1.)
- Patch early, patch more. Don’t buy extra time every time with workarounds as a regular part of the patching process. Patching is a matter of preference, and a workaround is reserved for situations where you do need to delay patching for a while. (See points 1 and 2.)
Without further ado…do it today!
Learn more about January 2022 Patch Tuesday
