UPDATE January 13 2022: Protection section has been updated with a IPS signature information.FortiGuard Labs is aware that a total of 96 vulnerabilities were patched by Microsoft on January 11th, 2022 as part of regular MS Patch Tuesday. In those vulnerabilities, CVE-2022-21907 (HTTP Protocol Stack Remote Code Execution Vulnerability) is one of the nine vulnerabilities that are rated critical. In the advisory, Microsoft warned that CVE-2022-21907 is wormable and “recommends prioritizing the patching of affected servers”.Why is this Significant?This is significant because CVE-2022-21907 is considered wormable as such malware can exploit the vulnerability to self-propagate without any user interaction nor elevated privilege. CVE-2022-21907 targets the HTTP trailer support feature that is enabled by default in various Windows 10 and 11 versions, as well as Windows Server 2022. The vulnerability also has a CVSS score of 9.8 (max score 10).What is CVE-2022-21907?CVE-2022-21907 is a remote code execution vulnerability in HTTP protocol stack (http.sys). HTTP.sys is a legitimate Windows component that is responsible for parsing HTTP requests. An unauthenticated attacker could craft and send a malicous packet to an affected server utilizing the HTTP Protocol Stack (http.sys) to process packets, which leads to remote code execution.Which Versions of Windows are Vulnerable?Per the Microsoft advisory, the following Windows versions are vulnerable:Windows Server 2019Windows Server 2022Windows 10Windows 11Note that the HTTP trailer support feature is inactive by default in Windows Server 2019 and Windows 10 version 1809. As such, they are not vulnerable unless the feature is enabled.Is the Vulnerability Exploited in the Wild?FortiGuard Labs is not aware of CVE-2022-21907 being exploited in the wild at the time of this writing.Has the Vendor Released a Fix?Yes. Microsoft released a fix for CVE-2022-21907 on January 11th, 2022 as part of regular Patch Tuesday.What is the Status of Coverage? (Updated January 13 2022)FortiGuard Labs has released the following IPS signature in version 19.241:MS.Windows.HTTP.Protocol.Stack.CVE-2022-21907.Code.Execution (default action is set to pass)Any Mitigation?Microsoft provided the following mitigation in the advisory:In Windows Server 2019 and Windows 10 version 1809, the the HTTP Trailer Support feature that contains the vulnerability is not active by default. The following registry key must be configured to introduce the vulnerable condition:HKEY_LOCAL_MACHINESystemCurrentControlSetServicesHTTPParameters”EnableTrailerSupport”=dword:00000001This mitigation does not apply to the other affected versions.
