Wormable Critical HTTP Protocol Stack Remote Code Execution Vulnerability affects Windows Server 2019- and 2022-based AD FS Servers (CVE-2022-21907)

During its Patch Tuesday on January 11th, 2022, Microsoft addressed a Remote Code Execution (RCE) security vulnerabilities that affects Windows Server 2019- and Windows Server 2022-based Active Directory Federation Services (AD FS) servers.

About the vulnerability

CVE-2022-21907 details a remote code execution vulnerability that can be used to attack AD FS servers over the internet. An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets and run malicious code on these hosts.

The HTTP Trailer response header allows the sender to include additional fields at the end of chunked messages in order to supply metadata that might be dynamically generated while the message body is sent, such as a message integrity check, digital signature, or post-processing status.

COMMON VULNERABILITY SCORING

This vulnerability is wormable and the attack complexity is rated low. Microsoft assigned a CVSSv3 score of 9.8/8.5.

Affected Operating Systems and configurations

AD FS servers running the following Windows Server versions are affected by this vulnerability:

  • Windows Server 2019
  • Windows Server, version 20H2
  • Windows Server 2022

HTTP Trailer support is enabled, by default, on AD FS servers running Windows Server 2022 and Windows Server version 20H2, but not on Windows Server 2019.

On Windows Server 2019-based AD FS servers, the feature needs to be manually enabled through the registry. Use the following line to check whether the HTTP Trailer support is enabled.

Get-ItemProperty "HKLM:\System\CurrentControlSet\Services\HTTP\Parameters" | Select-Object EnableTrailerSupport

When the above registry item exists, the above line returns the value 1 and the Windows Server 2019-based AD FS server is vulnerable.

Call to action

I urge you to install the necessary security updates on Windows Server 2019, Windows Server version 20H2 and Windows Server 2022 installations, acting as Active Directory Federation Services (AD FS) servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to these Windows Server installations, acting as Active Directory Federation Services (AD FS) servers, in the production environment.

Further reading

CVE-2022-21907 – Security Update Guide – Microsoft – HTTP Protocol Stack Remote Code Execution Vulnerability

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.