Windows HTTP Vulnerability Also Impacts WinRM Servers
The Critical Bug Logged As CVE-2021-31166 Was Patched by the Tech Giant During May Patch Tuesday.
Dubbed CVE-2021-31166, the wormable vulnerability in the HTTP Protocol Stack of the Windows IIS server can be employed to attack unpatched Windows 10 and Server systems and publicly expose the WinRM (Windows Remote Management) service.
BleepingComputer reporter Sergiu Gatlan notes that while the flaw can be abused by Remote Code Execution Attack (RCE) threats, only Windows 10 and Windows Server versions 2004 and 20H2 are affected by the vulnerability.
Since the vulnerability could allow unauthenticated attackers to execute arbitrary code remotely on vulnerable computers, Microsoft recommends prioritizing patching all affected servers.
What’s more, cybersecurity researcher Axel Souchet has published proof-of-concept exploit code that can be used to crash unpatched systems with maliciously crafted packets by triggering blue screens of death.
The bug itself happens in http!UlpParseContentCoding where the function has a local LIST_ENTRY and appends item to it. When it’s done, it moves it into the Request structure; but it doesn’t NULL out the local list. The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object.
The bug was found in the HTTP Protocol Stack (HTTP.sys) used as a protocol listener by the Windows IIS web server for processing HTTP requests.
According to security researcher Jim DeVries, the vulnerability also impacts Windows 10 and Server devices running the WinRM service, a component of the Windows Hardware Management feature set which also makes use of the vulnerable HTTP.sys. His findings have been confirmed by CERT/CC vulnerability analyst Will Dormann who successfully managed to crash a Windows system exposing the WinRM service with Souchet’s DoS exploit.
I haven’t seen it discussed anywhere, do you think think this vuln could be exploited thru WinRM on 5985? The system process on my non-IIS Win10 pc appears to load http.says.
— Jim DeVries (@JimDinMN) May 18, 2021
While home users have to enable the WinRM service manually on their Windows 10 systems, enterprise Windows Server endpoints have WinRM toggled on by default which makes them vulnerable to attacks if they’re running versions 2004 or 20H2.
The release of this vulnerability could allow threat actors to create their own exploits faster, thus permitting remote code execution.
Nevertheless, since most home users using affected Windows 10 versions have probably updated their systems following the May 2021 Security Updates, the impact should be limited and the patching process quite quick.