CVE-2022-21907 Security Alert: Stormshield’s product response

CVE-2022-21907: what protections with Stormshield solutions?

The year starts strong with a critical vulnerability rated 9.8 (CVSS 3.1) discovered on Microsoft Windows 11 and Server 2022 systems as well as Windows Server 2019 and Windows 10 version 1809 (and later in some configurations). Here's an update on a critical vulnerability, with the Stormshield Customer Security Lab team.

 

Context of the attack

This vulnerability concerns the HTTP stack (http.sys) used in listening to process HTTP requests on IIS (Internet Information Services) servers. It is patched on the last “Patch Tuesday” of January 2022. In practice, sending a specifically crafted packet allows remote code execution (RCE) by unauthenticated users. The level of complexity is low and requires little or no user interaction.

There does not seem to be a Proof Of Concept available in the wild, and this vulnerability is, for the moment, not widely exploited.

 

Technical details of the attack

Technical details are currently under Microsoft embargo, we will provide an update when we are cleared to do so.

Windows 11 and server 2022 are vulnerable by default. This vulnerability is also present on Windows 10 v1809 and Server 2019 systems with "HTTP Trailer Support" enabled. This can be checked, and disabled, via the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\
"EnableTrailerSupport"=dword:00000001

Set to 0, this function is disabled and the vulnerability is no longer exploitable.

 

Means of protection provided by Stormshield

The vulnerability is covered by the Stormshield Network Security product (SNS). The SES solution is not suitable to protect against the exploitation of this vulnerability.

Stormshield Network Security

The following existing protections built into the static "http" plugin covers the vulnerability:

  • http:53 Invalid HTTP Protocol,
  • http:55 Possible buffer overflow in HTTP request/reply

 

In order to be effective, it is necessary to keep the "Other fields" value of the "maximum size of http header" menu below 1900 bytes (by default set to 1024):

Fig. 1: configuration Other Fields SNS

In the case of an attack on a web server, the protection will be applied to the HTTP flow. For the HTTPS flow, an SSL decryption solution should be positioned before the IPS analysis performed by the SNS.

Confidence index of the protection

Confidence index of no false positives

 

Stormshield Endpoint Security

SES does not cover against exploitation of this vulnerability.

 

Recommandations

  • Update your Windows 11 et Server 2022 systems with January “patch Tuesday”
  • On Windows Server 2019, Windows 10 version 1809 and above, change this registry key value: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\"EnableTrailerSupport"  to 0.

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Do you have a more technical question on the subject? Need clarification on Stormshield protections? The Technical Support teams are at your disposal to provide you with the best possible support. Contact them through the incident manager located in the private MyStormshield area. To access it, select the "Technical support / Report an incident / Track an incident" menu.

About the author

mm
Sébastien Viou
Cybersecurity Product Director & Cyber-Evangelist, Stormshield

Fan of fighting sports (ju-jitsu, kick-boxing, ice hockey), Sébastien also has a passion for mechanics. The real thing, the one where all the parts are dismantled and reassembled until all the mechanisms are understood. An obvious parallel with his missions at Stormshield, where he is in charge of shedding light on developments, innovations and trends in the cyber-threats.