The Microsoft team patched a flaw that impacts the Windows desktop and server versions, including Windows 11 and Windows Server 2022. The vulnerability, tracked as CVE-2022-21907 is a critical flaw and also tagged as wormable. The flaw was found in the HTTP.sys (HTTP Protocol Stack) which is a protocol listener by the Windows Internet Information Services web server.
Patch and mitigation
To exploit the vulnerability, an authorized third party can send maliciously crafted packets to Windows servers that uses the HTTP Protocol Stack for processing packets. It allows attackers to remotely execute arbitrary code in low complexity attacks without requiring user interaction in most situations.
Microsoft patched the vulnerability, which has a CVSS score of 9.8, in this month’s Patch Tuesday. The tech giant urged users to apply the patch as soon as possible. There aren’t any proof of concepts published publicly yet and the vulnerability isn’t under active exploitation.
Microsoft also published mitigation for the flaw. In Windows Server 2019 and Windows 10 version 1809, the HTTP Trailer Support feature that contains the vulnerability is not active by default. The following registry key must be configured to introduce the vulnerable condition:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\ "EnableTrailerSupport"=dword:00000001
This mitigation does not apply to the other affected versions.