Detect Wormable RCE Vulnerability (CVE-2021-31166) in Windows HTTP.sys

Microsoft has recently fixed a highly critical bug (CVE-2021-31166), which enables remote code execution with kernel rights on the machines running Windows 10 and Windows Server. The vendor warns that this flaw is wormable and could self-propagate across multiple servers inside the organizational network to cause maximum harm. The Proof of Concept (PoC) exploit has been already released, pushing criminals to weaponize the vulnerability for attacks in the wild.

CVE-2021-31166 Description

The issue resides in HTTP Protocol Stack (HTTTP.sys), an important utility that helps Windows Internet Information Services (IIS) web servers process HTTP requests. In case exploited, the flaw allows unauthenticated actors to send specially crafted packets to a vulnerable server and trigger arbitrary code execution directly in the Windows OS kernel. Furthermore, the bug might be leveraged to launch a remote unauthenticated denial of service (DoS) attack causing Blue Screen of Death on the impacted devices. To make things even worth, CVE-2021-31166 is a wormable bug that allows creating network worms to propagate across other services initially not exposed to the intrusion.

On May 15, 2021, security experts Alex Souchet released a proof of concept (PoC) exploit for this flaw. Although a public PoC lacks the worming functions, it shows an easy way to block affected Windows installation in case running an IIS server. Currently, there is no evidence the HTTP.sys issue has ever been exploited in the wild. Yet, the presence of the PoC would definitely motivate adversaries to leverage this security hole against exposed Windows IIS servers.

The only factor that somehow limits possible devastative consequences is that the bug exists only in recent Windows versions, including Windows 10 2004/20H2 and Windows Server 2004/20H2, which were released over the past year.

Initially, it was considered that the flaw only affects machines running IIS servers, however, the researchers Jim DeVries found out WinRM services are also being impacted. As WinRM is enabled by default on all Windows servers running versions 2004/20H2, multiple corporate networks are currently exposed to intrusion.

CVE-2021-31166 Detection and Mitigation

The bug has been addressed by Microsoft during its Patch Tuesday release for May 2021. The vendor urges all users running vulnerable installations to upgrade to a secure version as soon as possible.

To protect your company infrastructure from possible attacks powered by CVE-2021-31166, you can download a community Sigma rule already released by the SOC Prime Team in Threat Detection Marketplace:

https://tdm.socprime.com/tdm/info/TenAI7BkMasL/jHwCkHkBcFeKcPZncFIn/?p=1#sigma

The rule has translations to the following platforms: 

SIEM: Azure Sentinel, QRadar, Graylog, ELK Stack, Humio, FireEye

MITRE ATT&CK: 

Tactics: Impact

Techniques: Network Denial of Service (T1498)

Subscribe to Threat Detection Marketplace, a world-leading Detection as Code platform that enables the full CI/CD workflow of detection procedures. Our SOC content library aggregates over 100K  detection algorithms and threat hunting queries mapped directly to CVE and MITRE ATT&CK® frameworks. The detections are based on Sigma language, ensuring that all rules are easily convertible to 23 market-leading SIEM, EDR, and NTDR technologies to match the organization’s XDR stack. Eager to participate in threat hunting activities and craft your own Sigma rules? Join our Threat Bounty Program!

Go to Platform Join Threat Bounty