Patch, because Exploit for Windows http-sys vulnerability CVE-2021-31166 available

Windows[German]Another small security note for administrators of Windows systems who have not yet installed the May 2021 security updates or had to uninstall them due to problems. The May 11, 2021 updates closed the http-sys vulnerability CVE-2021-31166. Since the weekend, an exploit to exploit the vulnerability is now available. This one triggers a BlueScreen on the Windows target machine. I assume that there could be remote attacks on the vulnerability soon.


The http-sys vulnerability CVE-2021-31166

CVE-2021-31166 is an HTTP protocol stack remote code execution (RCE) vulnerability through a memory overflow that is remotely exploitable over a network or via the Internet. In most scenarios, Microsoft writes, an unauthenticated attacker could send a specially crafted packet over the network/Internet to a target server that uses the HTTP protocol stack (http.sys) to process packets. This enables remote code execution (RCE) on the target system or at least sends the machine into a blue screen.

But even worse, the vulnerability could (according to Microsoft) be used to spread corresponding malware worm-like in the network. Therefore, the vulnerability has been assigned a CVE value of 9.8 (max. is 10). Microsoft recommends patching affected servers as a priority, as the May 11, 2021 security updates close this vulnerability on supported Windows systems (see Patchday: Windows 10-Updates (May 11, 2021)).

Exploit publicly available

Over the weekend, ex-Microsoft employee and current security researcher Axel Souchet published a working exploit, which came to my attention via the following tweet.

Exploit for CVE-2021-31166 in Windows

Here is the relevant tweet from Axel Souchet – the exploit has been made publicly available on GitHub. This triggers a BlueScreen on the affected machines. 


PoC for  CVE-2021-31166

The availability of proof-of-concept code is usually the first step for attackers to experiment with the attack. Eventually, there will be a working remote code execution (RCE) exploit. Catalin Cimpanu posted the details here. He writes: While the number of vulnerable Windows IIS servers may be small, this will not deter attackers from developing exploits. So the name of the game is patching.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Update, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *