Wormable critical vulnerability in http.sys could lead to Remote Code Execution on AD FS Servers running SAC versions of Windows Server (CVE-2021-31166, CVSSv3 9.8/8.5)

Reading Time: 2 minutes

This week, on its Patch Tuesday for May 2021, Microsoft released a patch that addresses a highly critical vulnerability (CVE-2021-31166) in http.sys.

About http.sys

Http.sys is a web server for ASP.NET Core that only runs on Windows. HTTP.sys is an alternative to Kestrel server and offers some features that Kestrel doesn't provide.

Http.sys can run stand-alone or in conjunction with Internet Information Services (IIS). It brokers internet traffic via HTTP network requests.

About the vulnerability

The vulnerability is due to Windows improperly tracking pointers while processing objects in network packets containing HTTP requests. As http.sys is implemented as a kernel driver, exploitation of this vulnerability will result in at least a Blue Screen of Death (BSoD), and in the worst-case scenario, remote code execution, which could be wormable.

Weaponized as a remote code execution vulnerability it can potentially be exploited by a remote, unauthenticated attacker sending a crafted HTTP packet to a system utilizing the HTTP Protocol Stack (http.sys). In this case, the vulnerability is considered to be wormable, which means that a single infection could result in a chain reaction of systems impacted across an organization without any user interaction.

While this vulnerability is exceptional in terms of potential impact and ease of exploitation, it remains to be seen whether effective remote code execution will be achieved.

Common Vulnerability Scoring

With a CVSS score of 9.8/8.5, the vulnerability has the potential to be both directly impactful and is also exceptionally simple to exploit.

Related vulnerabilities

The vulnerability resembles CVE-2015-1635. The vulnerability also was a vulnerability in http.sys, but was reported back in 2015. IT was addressed as part of Microsoft Security Bulletin MS15-034. That update addressed the vulnerability by modifying how the Windows HTTP stack handles requests on Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2.

Microsoft’s Security bulletin MS16-049 also addresses a vulnerability in http.sys, but was rated as Important, not Critical. That update addressed the vulnerability by modifying how the Windows HTTP protocol stack handles HTTP 2.0 requests on Windows 10 version 1507 (RTM) and Windows 10 version 1511.

Affected Operating Systems and configurations

Since Windows Server 2012 R2, the Active Directory Federation Services (AD FS) role utlizes kernel-mode IIS. This design choice makes AD FS servers running on Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019 potentially vulnerable to this vulnerability, but only the following Operating Systems are vulnerable:

  • Windows 10, version 2004
  • Windows 10, version 20H2
  • Windows Server, version 2004
  • Windows Server, version 20H2

As this vulnerability merely affects the latest semi-annual channel (SAC) releases of Windows 10 and Windows Server (2004 and 20H2), this means that the exposure for internet-facing enterprise servers is fairly limited; many of these systems run Long Term Servicing Channel (LTSC) versions, such as Windows Server 2016 and 2019.

Call to action

I urge you to install the necessary security updates  on Windows Server SAC installations, acting as Active Directory Federation Services (AD FS) servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server SAC installations, acting as Active Directory Federation Services (AD FS) servers, in the production environment.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.