Aperçu
A remote code execution vulnerability exists in the HTTP Protocol Stack (HTTP.sys) on Windows systems. The vulnerability is caused by improper handling of crafted HTTP requests, allowing remote attackers to execute arbitrary code with kernel-level privileges. This is a critical vulnerability affecting Windows Server and client operating systems. La vulnérabilité a été divulguée le May 11, 2021. CISA a identifié CVE-2021-31166 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
A remote code execution vulnerability exists in the HTTP Protocol Stack (HTTP.sys) kernel driver component in Windows. The vulnerability arises from improper validation and handling of crafted HTTP requests. When a specially crafted HTTP request is sent to an affected system running HTTP.sys (commonly used by Internet Information Services (IIS), Remote Desktop Gateway, and other HTTP-based services), the kernel-mode driver fails to properly process the malformed request. This allows an unauthenticated remote attacker to execute arbitrary code with kernel-level privileges (SYSTEM).
La vulnérabilité est classifiée comme CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) etCWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
An unauthenticated remote attacker can execute arbitrary code with kernel-level (SYSTEM) privileges. This allows complete compromise of the affected system, including ability to install malware, steal data, modify system files, launch further attacks, disable security features, and use the compromised system as a pivot point for lateral movement within the network. The kernel-level access makes this extremely dangerous as it bypasses all user-mode security boundaries.
Mitigation et contournements
1. Open Windows Update settings 2. Click 'Check for updates' 3. Install the applicable cumulative update for your Windows version 4. Restart the system Alternatively, download the specific KB articles from Microsoft Update Catalog and install manually. For enterprise environments: 1. Deploy patches through WSUS/Configuration Manager 2. Test in development environment first 3. Follow your organization's change management procedures 4. Prioritize internet-facing servers and IIS installations Les versions suivantes incluent les correctifs nécessaires : Windows 10 Version 1909: KB5004237 (July 2021), Windows 10 Version 2004: KB5004237 (July 2021), Windows 10 Version 20H2: KB5004237 (July 2021), Windows 10 Version 21H1: KB5004237 (July 2021), Windows 10 Version 21H2: KB5004566 (July 2021), Windows Server 2016: KB5004237 (July 2021), Windows Server 2019: KB5004237 (July 2021), Windows Server 2022: KB5004566 (July 2021), Windows 11 Version 21H2: KB5004566 (July 2021).
Comme contournements temporaires : disable or restrict access to http.sys-based services if not required. this can be done by disabling iis, remote desktop gateway, or other http-based services that rely on http.sys.; implement network-level access controls to restrict access to http-based services to trusted networks only. use firewall rules to limit inbound connections on ports 80 and 443., et disable http keep-alive feature in iis configuration as a temporary measure. edit metabase.xml or use iis manager to set the keep-alive timeout to 0..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
