During its Patch Tuesday on January 11th, 2022, Microsoft addressed a Remote Code Execution (RCE) security vulnerabilities that affects Windows Server 2019- and Windows Server 2022-based Active Directory Federation Services (AD FS) servers.
About the vulnerability
CVE-2022-21907 details a remote code execution vulnerability that can be used to attack AD FS servers over the internet. An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets and run malicious code on these hosts.
The HTTP Trailer response header allows the sender to include additional fields at the end of chunked messages in order to supply metadata that might be dynamically generated while the message body is sent, such as a message integrity check, digital signature, or post-processing status.
COMMON VULNERABILITY SCORING
This vulnerability is wormable and the attack complexity is rated low. Microsoft assigned a CVSSv3 score of 9.8/8.5.
Affected Operating Systems and configurations
AD FS servers running the following Windows Server versions are affected by this vulnerability:
- Windows Server 2019
- Windows Server, version 20H2
- Windows Server 2022
HTTP Trailer support is enabled, by default, on AD FS servers running Windows Server 2022 and Windows Server version 20H2, but not on Windows Server 2019.
On Windows Server 2019-based AD FS servers, the feature needs to be manually enabled through the registry. Use the following line to check whether the HTTP Trailer support is enabled.
Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\HTTP\Parameters" | Select-Object EnableTrailerSupport
When the above registry item exists, the above line returns the value 1 and the Windows Server 2019-based AD FS server is vulnerable.
Call to action
I urge you to install the necessary security updates on Windows Server 2019, Windows Server version 20H2 and Windows Server 2022 installations, acting as Active Directory Federation Services (AD FS) servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to these Windows Server installations, acting as Active Directory Federation Services (AD FS) servers, in the production environment.