Overview
A remote code execution vulnerability exists in the HTTP Protocol Stack (HTTP.sys) on Windows systems. The vulnerability is caused by improper handling of crafted HTTP requests, allowing remote attackers to execute arbitrary code with kernel-level privileges. This is a critical vulnerability affecting Windows Server and client operating systems. The vulnerability was disclosed on May 11, 2021. CISA has identified CVE-2021-31166 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
A remote code execution vulnerability exists in the HTTP Protocol Stack (HTTP.sys) kernel driver component in Windows. The vulnerability arises from improper validation and handling of crafted HTTP requests. When a specially crafted HTTP request is sent to an affected system running HTTP.sys (commonly used by Internet Information Services (IIS), Remote Desktop Gateway, and other HTTP-based services), the kernel-mode driver fails to properly process the malformed request. This allows an unauthenticated remote attacker to execute arbitrary code with kernel-level privileges (SYSTEM).
The vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) andCWE-120 (Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
An unauthenticated remote attacker can execute arbitrary code with kernel-level (SYSTEM) privileges. This allows complete compromise of the affected system, including ability to install malware, steal data, modify system files, launch further attacks, disable security features, and use the compromised system as a pivot point for lateral movement within the network. The kernel-level access makes this extremely dangerous as it bypasses all user-mode security boundaries.
Mitigation and workarounds
1. Open Windows Update settings 2. Click 'Check for updates' 3. Install the applicable cumulative update for your Windows version 4. Restart the system Alternatively, download the specific KB articles from Microsoft Update Catalog and install manually. For enterprise environments: 1. Deploy patches through WSUS/Configuration Manager 2. Test in development environment first 3. Follow your organization's change management procedures 4. Prioritize internet-facing servers and IIS installations The following versions include the necessary fixes: Windows 10 Version 1909: KB5004237 (July 2021), Windows 10 Version 2004: KB5004237 (July 2021), Windows 10 Version 20H2: KB5004237 (July 2021), Windows 10 Version 21H1: KB5004237 (July 2021), Windows 10 Version 21H2: KB5004566 (July 2021), Windows Server 2016: KB5004237 (July 2021), Windows Server 2019: KB5004237 (July 2021), Windows Server 2022: KB5004566 (July 2021), Windows 11 Version 21H2: KB5004566 (July 2021).
As temporary workarounds: disable or restrict access to http.sys-based services if not required. this can be done by disabling iis, remote desktop gateway, or other http-based services that rely on http.sys.; implement network-level access controls to restrict access to http-based services to trusted networks only. use firewall rules to limit inbound connections on ports 80 and 443., and disable http keep-alive feature in iis configuration as a temporary measure. edit metabase.xml or use iis manager to set the keep-alive timeout to 0..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
