[German]The http-sys vulnerability (CVE-2021-31166), which was already patched in May 2021, is more serious than initially assumed. Windows 10/Windows Server systems running the Windows Remote Management Service (WinRM) are also threatened. Administrators should ensure that affected systems are patched, as the http-sys vulnerability allows worm-like spread of malware.
The http-sys vulnerability CVE-2021-31166
CVE-2021-31166 is an HTTP Protocol Stack Remote Code Execution (RCE) vulnerability through a memory overflow that is remotely exploitable over a network or via the Internet. In most scenarios, Microsoft writes, an unauthenticated attacker could send a specially crafted packet over the network/Internet to a target server that uses the HTTP protocol stack (http.sys) to process packets. This allows remote code execution (RCE) on the target system or at least sends the machine into a blue screen.
The vulnerability could (according to Microsoft) be used to spread corresponding malware worm-like in the network. Therefore, the vulnerability has been assigned a CVE value of 9.8 (max. is 10). Windows 10 systems from version 2004 and their server counterparts are affected. Microsoft recommends patching affected servers as a priority because the May 11, 2021 security updates close this vulnerability on supported Windows systems (see Patchday: Windows 10-Updates (May 11, 2021)).
Windows 10 from version 2004, Windows 10 20H2 and Windows Server 20H2 are threatened. Meanwhile, an exploit is also publicly available as a proof of concept (see Patch, because Exploit for Windows http-sys vulnerability CVE-2021-31166 available).
WinRM also affected
Security researcher Jim DeVries had asked on Twitter a week ago whether systems via the Windows Remote Management Service (WinRM) were also affected – and later answered this question with yes.
Will Dormann, who noticed these tweets, subsequently consulted a search engine (Shodan) and found more than 2 million systems (about 62,000 in Germany) with WinRM enabled. On Windows Server, WinRM is enabled by default – on Windows 10 and higher, it can be enabled manually by the administrator.
It is unclear to me, however, how often truly vulnerable production systems running Windows Server 2004 and 20H2, as well as Windows 10 version 2004 or higher, with WinRM enabled are actually in operation. This search retures about half a million systems with Windows Server 2004, because only these systems are vulnerable at all via the vulnerability. However, all unpatched systems from this category are thus subject to the risk that a malware exploiting this vulnerability will spread worm-like in (corporate) networks. Bleeping Computer has summarized the whole thing in this article.
Cookies helps to fund this blog: Cookie settings