Detect CVE-2022-21907: A Wormable RCE in Windows Server
Table of contents:
Another day, another critical vulnerability posing a major headache for security practitioners. This time researchers have identified a wormable remote code execution (RCE) flaw that impacts the latest desktop and server Windows versions. The vendor urges everyone to upgrade their systems ASAP since the flaw could be easily leveraged by adversaries to execute arbitrary code on the affected instances.
CVE-2022-21907 Exploit
The bug resides in the HTTP Protocol Stack, a crucial component applied by Windows Internet Information Services web server to host web pages. By abusing the HTTP Trailer Support feature, unauthorized hackers can send specially crafted packets to the server leveraging the HTTP Protocol Stack (http.sys) to process packets and trick the system into running the malicious code on their behalf. Notably, no user interaction is required to proceed with the intrusion.
Given its CVSS score of 9.8, the wormable nature of the security hole, and the low complexity of the attack routine, Microsoft urges to patch the vulnerability without delay. As reported by the vendor’s advisory, Windows Server versions 2019, 20H2, and 2022 alongside desktop versions 10 and 11 were found affected.
Although no exploitations in the wild have been observed to date, it is only a matter of time before adversaries would weaponize exploits for CVE-2022-21907. The public PoC exploits have already been released for this vulnerability. Yet, security researchers are arguing if the available PoCs are fully applicable for the in-the-wild attacks.
CVE-2022-21907 Detection
The vulnerability was patched by Microsoft with its latest Patch Tuesday release on January 11, 2022. Furthermore, for Windows Server 2019 and Windows 10 version 1809, mitigations are available since the vulnerable code is not loaded by default but only when a certain registry key has been set. Users just need to disable the HTTP Trailer Support feature to stay safe.
To boost your defenses against this wormable RCE in Windows Server and detect possible attacks against your infrastructure, you can get the free Sigma rule available in the SOC Prime’s Detection as Code platform.
The rules below allow detecting the malicious activity associated with the publicly released PoC exploits for CVE-2022-21907. In view of a current discussion arguing if the released PoCs are valid, the SOC Prime Team is ready to implement relevant updates to the existing rules and create new ones upon any official statements from trusted sources.
Possible Microsoft HTTP Protocol Stack Vulnerability [CVE-2022-21907] Exploitation (via web)
This detection has translations for the following SIEM, EDR & XDR platforms: Azure Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, LogPoint, Graylog, Regex Grep, RSA NetWitness, Apache Kafka ksqlDB, Securonix, and AWS OpenSearch.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Initial Access tactic with Exploit Public-Facing Application as the main technique (T1190).
Possible HTTP Trailer Support Enable or Status Check [CVE-2022-21907] (via cmdline)
This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Chronicle Security, LimaCharlie, SentinelOne, Microsoft Defender ATP, CrowdStrike, Apache Kafka ksqlDB, Carbon Black, Securonix, and Open Distro.
The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution and Discovery tactics with Command and Scripting Interpreter (T1059) and Query Registry (T1012) as the main techniques.
Join SOC Prime’s Detection as Code platform for free to search for the latest threats in your SIEM or XDR environment, improve your threat coverage by reaching the most relevant content aligned with the MITRE ATT&CK matrix, and overall, boost the organization’s cyber defense capabilities. Security experts are also welcomed to join our Threat Bounty Program to monetize their own detection content.