Worming your way in through IIS -
By Trellix · January 27, 2022
This story was written by Eion Carroll.
IIS HTTP Stack History
In the first patch Tuesday of 2022, Microsoft released a patch for a wormable vulnerability CVE-2022-21907 within the IIS HTTP stack, or more specifically the HTTP.sys driver. This is the second such vulnerability in the Microsoft HTTP.sys driver within the last 7 months, both with a critical CVSS score of 9.8. As always, our objective for critical industry vulnerability analysis is to protect our customers and the broader community of internet connected users by using qualitative and experience-based analysis. While the security industry is still recovering from the aftermath of “Log4j” CVE-2021-44228, we cannot lose sight of other critical vulnerabilities with wormability characteristics.
CVE-2021-31166 which we analyzed 7 months ago, was also wormable but did not see much weaponization. This may be in part because enterprises are now reducing their exposure window by patching sooner, as a result of former vulnerabilities, including the infamous Eternalblue, as well as the active research by threat research teams to flag critical vulnerabilities which must be patched.
CVE-2022-21907 Vulnerability Analysis and Attack Scenario
From our patch analysis the CVE-2022-21907 is an uninitialized memory vulnerability within two memory allocation functions called UlpAlllocateFactTracker and UlAllocateFastTrackerToLookaside. These functions fail to zero allocated memory in the kernel non-paged pool before performing later operations. By grooming the kernel non-paged pool remotely it’s possible to place the pool memory into a state so that the uninitialized memory allocated by UlpAlllocateFactTracker and UlAllocateFastTrackerToLookaside is populated with attacker-controlled data. Grooming is achieved by sending very large http header fields with attacker-controlled data, which results in allocation in the kernel non paged pool. From our analysis it takes several minutes to groom the kernel non-paged pool to crash a system, but this time is completely dependent on a server’s existing kernel pool memory state. Successful exploitation would require remotely creating read, write, and execute primitives which is no easy task. However, the vulnerability has the properties to achieve remote code execution and denial-of-service (Blue Screen of Death) for affected versions of Windows. Being able to remotely crash IIS without requiring authentication would of course be enticing for attackers.
Microsoft clearly state in the advisory which Windows OS versions are impacted; however, there has been much discussion in the industry regarding which versions are impacted. Therefore, we recommend patching all IIS servers, focusing on externally facing IIS servers as a top priority. For those who are unable to apply Microsoft’s update, we are providing a “virtual patch” in the form of a network IPS signature that can be used to detect and prevent exploitation attempts for this vulnerability. If you cannot patch or protect by using our network IPS signature, then we recommend detecting at the network level for HTTP header fields with very large data being sent in many consecutive HTTP requests, which would indicate remote grooming. Web Servers generally only check the sum of all HTTP header fields data and not the individual fields data length.
At the time of this writing, we are unaware of any “in-the-wild” exploitation for CVE-2022-21907 but will continue to monitor the threat landscape and provide relevant updates. We are starting to see a trend of HTTP.sys vulnerabilities and urge enterprises to be prepared for potential further prioritized patching.
PATCH NOW if you are using IIS!
McAfee Network Security Platform (NSP) Protection
Component attack: 0x452a1500 “HTTP: Long Request Header Detected”
Correlation attack: 0x452a1300 "HTTP: Microsoft IIS Protocol Stack Remote Code Execution Vulnerability (CVE-2022-21907)”
McAfee Knowledge Base Article KB95180
Mar 15, 2023
Trustwave and Trellix Announce Strategic Partnership to Deliver Best-in-Class Managed Detection and Response to Protect Global Organizations
Feb 22, 2023
Trellix Finds LockBit Ransomware Gang Most Apt to Leak Stolen Data
Feb 8, 2023
Trellix Launches Xtend Global Channel Partner Program
Feb 6, 2023
President Biden Names Bryan Palma to National Security Telecommunications Advisory Committee
Jan 17, 2023
Trellix Endpoint Scores 100% Detection with Zero False Positives in Latest SE Labs Endpoint Security Test
The latest from our newsroom
The Bug Report – January 2023 Edition
By Jesse Chick · February 1, 2023
January began with a headache on a Sunday morning and, if you happen to be on the receiving end of this month's remote code excitement, it ended with one, too.
Cyberattacks Targeting Ukraine Increase at End of 2022
By Daksh Kapur, Tomer Shloman, Robert Venal and John Fokker · January 24, 2023
From malicious email and URLs to nation-state backed use of malware, cyberactivity continues to accompany kinetic military activity and social discontent.
Trellix to Lead the XDR Market
By Daniel Ramos · December 19, 2022
Recognition by the analytical firms and peer review programs in all the main XDR front-end components including EDR, NDR, SEG, CWWP, and DLP.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.