In the last Patch Tuesday (Jan, 11th 2022), Microsoft introduced a patch for a critical vulnerability in the HTTP Protocol Stack (http.sys) CVE-2022-21907. This vulnerability, who got a CVSS Base Score of 9.8, allows an unauthenticated attacker to send a specially crafted packet to the server and run malicious code.
The affected operating systems include Windows 10, Windows Server 2019 (Builds 1809 and 20H2 or higher) and Windows Server 2022.
Windows 10 and Windows server 2019 build 1809 are not vulnerable by default, unless “HTTP Trailer Support” was enabled. It can be checked by querying the registry for a specific key, meaning this configuration is enabled (a temporary mitigation could be deleting this registry value).
Windows 10 and Windows server 2019, builds 20H2 or higher, and Windows Server 2022 have “HTTP Trailer Support” enabled by default, making them vulnerable.
Cymulate released a small scanner under the “Advanced Scenarios” part of the platform, to help our customers scan their network for potentially vulnerable hosts. This scanner relies on searching for the vulnerable build versions (or the relevant registry key) and does not attempt to exploit the vulnerability.
It is highly recommended to patch the vulnerable hosts as soon as possible.