Blog

Archive for January 11th, 2022

A Quick CVE-2022-21907 FAQ (work in progress), (Wed, Jan 12th)

1 – When will an exploit be available?

Who knows. Microsoft rates the exploitability as “Exploitation More Likely”. I suggest you patch this week.

2 – Which versions are affected?

Microsoft’s advisory is a bit oddly worded. But at this point, my best read of it is: The vulnerable code was introduced in Windows Server 2019 and Windows 10 version 1809. But these versions of Windows had a registry key set by default disabling the feature. All later versions are vulnerable “out of the box”. For Windows Server 2019 and Windows 10 Version 1809, the “HKLM:SystemCurrentControlSetServicesHTTPParameterEnableTrailerSupport” is set to 0 by default disabling trailers. You can check this registry value in Powershell (thanks Rob)l: 

Get-ItemProperty  “HKLM:SystemCurrentControlSetServicesHTTPParameters” | Select-Object EnableTrailerSupport

3 – Am I vulnerable if I do not have IIS enabled?

Possibly. This is NOT an IIS vulnerability, but a vulnerability in http.sys. http.sys is probably best described as the core HTTP engine inside IIS. But other software using http.sys and possibly exposing the vulnerability: WinRM (Windows Remote Management), WSDAPI (Web Services for Devices) for example expose http.sys. For a quick list of processes using http.sys, try:

netsh http show servicestate

4 – Does a web application Firewall help?

Likely yes. You could start (at your own risk) to just block requests with trailers. Maybe log them first to see if you see legitimate uses (let us know what uses them and how). For details, ask your web app firewall vendor.

5 – Was there a similar severe vulnerability in the past?

In 2015, we had a similar fire drill for CVE-2015-1635 (MS15-34). Maybe you kept notes? They will come in handy now. This Range header vulnerability never amounted to much.

6 – What are these Trailers about anyway?

Trailers are defined in RFC7230. They only make sense if “Transfer-Encoding: chunked" is used. With chunked encoding, the body of a request or response is transmitted in small chunks. Each chunk is preceded by a length in bytes. The idea behind this is that you may not know as you start sending a message how long it will be. In addition, chunked encoding does allow the sender to delay sending headers until the body is sent. These become “trailers”. Here is a quick sample request:

POST / HTTP/1.1
Host: testing
Content-Type: text/plain
Transfer-Encoding: chunked
Trailer: X-Test

3
ABC
0
X-Test: 123

The RFC states that “the sender SHOULD generate a Trailer header” suggesting it is not mandatory. This may make filtering more difficult if an exploit does not use a Trailer header (again: I am speculating what an exploit may look like. But having a trailer without a corresponding trailer header may cause some confusion).


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →

Microsoft Patch Tuesday – January 2022 , (Tue, Jan 11th)

Microsoft fixed 126 different CVEs with this month’s update (this includes the Chromium issues patched in Edge). Six of the issues were publicly disclosed, and nine are rated critical. 

Noteworthy updates:

CVE-2022-21907: This is a remote code execution vulnerability in http.sys. http.sys is part of anything in windows processing HTTP requests (e.g. IIS!). But this vulnerability only affects the HTTP Trailer feature, which is not enabled by default (not sure if there is a good reason to enable it). HTTP trailers are used to delay sending headers until the end of the request (or response). They are typically used as part of chunked messages when the entire message is not known until the message has been sent. A “TE: trailers” header needs to be sent, and a “Trailer” header listing the delayed header names. This is potentially a wormable vulnerability, and Microsoft recommends prioritizing this patch. (this does not just affect IIS!)

CVE-2022-21846: Another critical remote code execution vulnerability in Exchange. But this vulnerability is not exploitable across the internet and requires the victim and the attacker to share the same network. 

CVE-2021-22947: This vulnerability in curl was originally disclosed in September, which is why it is noted as “Publicly Disclosed”. This update fixes several vulnerabilities, not just the listed CVE.

See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com.

January 2022 Security Updates

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Framework Denial of Service Vulnerability
%%cve:2022-21911%% No No Less Likely Less Likely Important 7.5 6.5
Active Directory Domain Services Elevation of Privilege Vulnerability
%%cve:2022-21857%% No No Less Likely Less Likely Critical 8.8 7.7
Chromium: CVE-2022-0096 Use after free in Storage
%%cve:2022-0096%% No No    
Chromium: CVE-2022-0097 Inappropriate implementation in DevTools
%%cve:2022-0097%% No No    
Chromium: CVE-2022-0098 Use after free in Screen Capture
%%cve:2022-0098%% No No    
Chromium: CVE-2022-0099 Use after free in Sign-in
%%cve:2022-0099%% No No    
Chromium: CVE-2022-0100 Heap buffer overflow in Media streams API
%%cve:2022-0100%% No No    
Chromium: CVE-2022-0101 Heap buffer overflow in Bookmarks
%%cve:2022-0101%% No No    
Chromium: CVE-2022-0102 Type Confusion in V8
%%cve:2022-0102%% No No    
Chromium: CVE-2022-0103 Use after free in SwiftShader
%%cve:2022-0103%% No No    
Chromium: CVE-2022-0104 Heap buffer overflow in ANGLE
%%cve:2022-0104%% No No    
Chromium: CVE-2022-0105 Use after free in PDF
%%cve:2022-0105%% No No    
Chromium: CVE-2022-0106 Use after free in Autofill
%%cve:2022-0106%% No No    
Chromium: CVE-2022-0107 Use after free in File Manager API
%%cve:2022-0107%% No No    
Chromium: CVE-2022-0108 Inappropriate implementation in Navigation
%%cve:2022-0108%% No No    
Chromium: CVE-2022-0109 Inappropriate implementation in Autofill
%%cve:2022-0109%% No No    
Chromium: CVE-2022-0110 Incorrect security UI in Autofill
%%cve:2022-0110%% No No    
Chromium: CVE-2022-0111 Inappropriate implementation in Navigation
%%cve:2022-0111%% No No    
Chromium: CVE-2022-0112 Incorrect security UI in Browser UI
%%cve:2022-0112%% No No    
Chromium: CVE-2022-0113 Inappropriate implementation in Blink
%%cve:2022-0113%% No No    
Chromium: CVE-2022-0114 Out of bounds memory access in Web Serial
%%cve:2022-0114%% No No    
Chromium: CVE-2022-0115 Uninitialized Use in File API
%%cve:2022-0115%% No No    
Chromium: CVE-2022-0116 Inappropriate implementation in Compositing
%%cve:2022-0116%% No No    
Chromium: CVE-2022-0117 Policy bypass in Service Workers
%%cve:2022-0117%% No No    
Chromium: CVE-2022-0118 Inappropriate implementation in WebShare
%%cve:2022-0118%% No No    
Chromium: CVE-2022-0120 Inappropriate implementation in Passwords
%%cve:2022-0120%% No No    
Clipboard User Service Elevation of Privilege Vulnerability
%%cve:2022-21869%% No No Less Likely Less Likely Important 7.0 6.1
Connected Devices Platform Service Elevation of Privilege Vulnerability
%%cve:2022-21865%% No No Less Likely Less Likely Important 7.0 6.1
DirectX Graphics Kernel File Denial of Service Vulnerability
%%cve:2022-21918%% No No Less Likely Less Likely Important 6.5 5.7
DirectX Graphics Kernel Remote Code Execution Vulnerability
%%cve:2022-21912%% No No Less Likely Less Likely Critical 7.8 6.8
%%cve:2022-21898%% No No Less Likely Less Likely Critical 7.8 6.8
HEVC Video Extensions Remote Code Execution Vulnerability
%%cve:2022-21917%% No No Less Likely Less Likely Critical 7.8 7.0
HTTP Protocol Stack Remote Code Execution Vulnerability
%%cve:2022-21907%% No No More Likely More Likely Critical 9.8 8.5
Libarchive Remote Code Execution Vulnerability
%%cve:2021-36976%% Yes No Less Likely Less Likely Important    
Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass
%%cve:2022-21913%% No No Less Likely Less Likely Important 5.3 4.8
Local Security Authority Subsystem Service Elevation of Privilege Vulnerability
%%cve:2022-21884%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Cluster Port Driver Elevation of Privilege Vulnerability
%%cve:2022-21910%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Cryptographic Services Elevation of Privilege Vulnerability
%%cve:2022-21835%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability
%%cve:2022-21871%% No No Less Likely Less Likely Important 7.0 6.1
Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability
%%cve:2022-21891%% No No Less Likely Less Likely Important 7.6 6.6
Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability
%%cve:2022-21932%% No No Less Likely Less Likely Important 7.6 6.6
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
%%cve:2022-21954%% No No Less Likely Less Likely Important 6.1 5.3
%%cve:2022-21970%% No No Less Likely Less Likely Important 6.1 5.3
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
%%cve:2022-21929%% No No Less Likely Less Likely Moderate 2.5 2.3
%%cve:2022-21930%% No No Less Likely Less Likely Important 4.2 3.8
%%cve:2022-21931%% No No Less Likely Less Likely Important 4.2 3.8
Microsoft Excel Remote Code Execution Vulnerability
%%cve:2022-21841%% No No Less Likely Less Likely Important 7.8 6.8
Microsoft Exchange Server Remote Code Execution Vulnerability
%%cve:2022-21846%% No No More Likely More Likely Critical 9.0 7.8
%%cve:2022-21855%% No No More Likely More Likely Important 9.0 7.8
%%cve:2022-21969%% No No More Likely More Likely Important 9.0 7.8
Microsoft Office Remote Code Execution Vulnerability
%%cve:2022-21840%% No No Less Likely Less Likely Critical 8.8 7.7
Microsoft SharePoint Server Remote Code Execution Vulnerability
%%cve:2022-21837%% No No Less Likely Less Likely Important 8.3 7.2
Microsoft Word Remote Code Execution Vulnerability
%%cve:2022-21842%% No No Less Likely Less Likely Important 7.8 6.8
Open Source Curl Remote Code Execution Vulnerability
%%cve:2021-22947%% Yes No Less Likely Less Likely Critical    
Remote Desktop Client Remote Code Execution Vulnerability
%%cve:2022-21850%% No No Less Likely Less Likely Important 8.8 7.7
%%cve:2022-21851%% No No Less Likely Less Likely Important 8.8 7.7
Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability
%%cve:2022-21964%% No No Less Likely Less Likely Important 5.5 4.8
Remote Desktop Protocol Remote Code Execution Vulnerability
%%cve:2022-21893%% No No Less Likely Less Likely Important 8.8 7.7
Remote Procedure Call Runtime Remote Code Execution Vulnerability
%%cve:2022-21922%% No No Less Likely Less Likely Important 8.8 7.7
Secure Boot Security Feature Bypass Vulnerability
%%cve:2022-21894%% No No Less Likely Less Likely Important 4.4 3.9
Storage Spaces Controller Information Disclosure Vulnerability
%%cve:2022-21877%% No No Less Likely Less Likely Important 5.5 4.8
Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability
%%cve:2022-21870%% No No Less Likely Less Likely Important 7.0 6.1
Task Flow Data Engine Elevation of Privilege Vulnerability
%%cve:2022-21861%% No No Less Likely Less Likely Important 7.0 6.1
Tile Data Repository Elevation of Privilege Vulnerability
%%cve:2022-21873%% No No Less Likely Less Likely Important 7.0 6.1
Virtual Machine IDE Drive Elevation of Privilege Vulnerability
%%cve:2022-21833%% No No Less Likely Less Likely Critical 7.8 6.8
Win32k Elevation of Privilege Vulnerability
%%cve:2022-21882%% No No More Likely More Likely Important 7.0 6.1
%%cve:2022-21887%% No No More Likely More Likely Important 7.0 6.1
Win32k Information Disclosure Vulnerability
%%cve:2022-21876%% No No Less Likely Less Likely Important 5.5 4.8
Windows Accounts Control Elevation of Privilege Vulnerability
%%cve:2022-21859%% No No Less Likely Less Likely Important 7.0 6.1
Windows AppContracts API Server Elevation of Privilege Vulnerability
%%cve:2022-21860%% No No Less Likely Less Likely Important 7.0 6.1
Windows Application Model Core API Elevation of Privilege Vulnerability
%%cve:2022-21862%% No No Less Likely Less Likely Important 7.0 6.1
Windows BackupKey Remote Protocol Security Feature Bypass Vulnerability
%%cve:2022-21925%% No No Less Likely Less Likely Important 5.3 4.8
Windows Bind Filter Driver Elevation of Privilege Vulnerability
%%cve:2022-21858%% No No Less Likely Less Likely Important 7.8 6.8
Windows Certificate Spoofing Vulnerability
%%cve:2022-21836%% Yes No Less Likely Less Likely Important 7.8 7.0
Windows Cleanup Manager Elevation of Privilege Vulnerability
%%cve:2022-21838%% No No Less Likely Less Likely Important 5.5 4.8
Windows Common Log File System Driver Elevation of Privilege Vulnerability
%%cve:2022-21916%% No No More Likely More Likely Important 7.8 6.8
%%cve:2022-21897%% No No More Likely More Likely Important 7.8 6.8
Windows DWM Core Library Elevation of Privilege Vulnerability
%%cve:2022-21852%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2022-21902%% No No Less Likely Less Likely Important 7.8 6.8
%%cve:2022-21896%% No No Less Likely Less Likely Important 7.0 6.1
Windows Defender Application Control Security Feature Bypass Vulnerability
%%cve:2022-21906%% No No Less Likely Less Likely Important 5.5 4.8
Windows Defender Credential Guard Security Feature Bypass Vulnerability
%%cve:2022-21921%% No No Less Likely Less Likely Important 4.4 3.9
Windows Devices Human Interface Elevation of Privilege Vulnerability
%%cve:2022-21868%% No No Less Likely Less Likely Important 7.0 6.1
Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability
%%cve:2022-21839%% Yes No Less Likely Less Likely Important 6.1 5.5
Windows Event Tracing Elevation of Privilege Vulnerability
%%cve:2022-21872%% No No Less Likely Less Likely Important 7.0 6.1
Windows Extensible Firmware Interface Security Feature Bypass Vulnerability
%%cve:2022-21899%% No No Less Likely Less Likely Important 5.5 4.8
Windows GDI Elevation of Privilege Vulnerability
%%cve:2022-21903%% No No More Likely More Likely Important 7.0 6.1
Windows GDI Information Disclosure Vulnerability
%%cve:2022-21904%% No No Less Likely Less Likely Important 7.5 6.5
Windows GDI+ Information Disclosure Vulnerability
%%cve:2022-21915%% No No Less Likely Less Likely Important 6.5 5.7
%%cve:2022-21880%% No No Less Likely Less Likely Important 7.5 6.5
Windows Geolocation Service Remote Code Execution Vulnerability
%%cve:2022-21878%% No No Less Likely Less Likely Important 7.8 6.8
Windows Hyper-V Denial of Service Vulnerability
%%cve:2022-21847%% No No Less Likely Less Likely Important 6.5 5.7
Windows Hyper-V Elevation of Privilege Vulnerability
%%cve:2022-21901%% No No Less Likely Less Likely Important 9.0 7.8
Windows Hyper-V Security Feature Bypass Vulnerability
%%cve:2022-21900%% No No Less Likely Less Likely Important 4.6 4.0
%%cve:2022-21905%% No No Less Likely Less Likely Important 4.6 4.0
Windows IKE Extension Denial of Service Vulnerability
%%cve:2022-21843%% No No Less Likely Less Likely Important 7.5 6.5
%%cve:2022-21883%% No No Less Likely Less Likely Important 7.5 6.5
%%cve:2022-21848%% No No Less Likely Less Likely Important 7.5 6.5
%%cve:2022-21889%% No No Less Likely Less Likely Important 7.5 6.5
%%cve:2022-21890%% No No Less Likely Less Likely Important 7.5 6.7
Windows IKE Extension Remote Code Execution Vulnerability
%%cve:2022-21849%% No No Less Likely Less Likely Important 9.8 8.5
Windows Installer Elevation of Privilege Vulnerability
%%cve:2022-21908%% No No More Likely More Likely Important 7.8 6.8
Windows Kerberos Elevation of Privilege Vulnerability
%%cve:2022-21920%% No No Less Likely Less Likely Important 8.8 7.7
Windows Kernel Elevation of Privilege Vulnerability
%%cve:2022-21879%% No No Less Likely Less Likely Important 5.5 4.8
%%cve:2022-21881%% No No More Likely More Likely Important 7.0 6.1
Windows Modern Execution Server Remote Code Execution Vulnerability
%%cve:2022-21888%% No No Less Likely Less Likely Important 7.8 6.8
Windows Push Notifications Apps Elevation Of Privilege Vulnerability
%%cve:2022-21867%% No No Less Likely Less Likely Important 7.0 6.1
Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
%%cve:2022-21885%% No No More Likely More Likely Important 7.8 6.8
%%cve:2022-21914%% No No More Likely More Likely Important 7.8 6.8
Windows Resilient File System (ReFS) Remote Code Execution Vulnerability
%%cve:2022-21892%% No No Less Likely Less Likely Important 6.8 6.1
%%cve:2022-21958%% No No Less Likely Less Likely Important 6.8 6.1
%%cve:2022-21959%% No No Less Likely Less Likely Important 6.8 6.1
%%cve:2022-21960%% No No Less Likely Less Likely Important 6.8 6.1
%%cve:2022-21961%% No No Less Likely Less Likely Important 6.8 6.1
%%cve:2022-21962%% No No Less Likely Less Likely Important 6.8 6.1
%%cve:2022-21963%% No No Less Likely Less Likely Important 6.4 5.6
%%cve:2022-21928%% No No Less Likely Less Likely Important 6.3 5.7
Windows Security Center API Remote Code Execution Vulnerability
%%cve:2022-21874%% Yes No Less Likely Less Likely Important 7.8 6.8
Windows StateRepository API Server file Elevation of Privilege Vulnerability
%%cve:2022-21863%% No No Less Likely Less Likely Important 7.0 6.1
Windows Storage Elevation of Privilege Vulnerability
%%cve:2022-21875%% No No Less Likely Less Likely Important 7.0 6.1
Windows System Launcher Elevation of Privilege Vulnerability
%%cve:2022-21866%% No No Less Likely Less Likely Important 7.0 6.1
Windows UI Immersive Server API Elevation of Privilege Vulnerability
%%cve:2022-21864%% No No Less Likely Less Likely Important 7.0 6.1
Windows User Profile Service Elevation of Privilege Vulnerability
%%cve:2022-21919%% Yes No More Likely More Likely Important 7.0 6.3
%%cve:2022-21895%% No No Less Likely Less Likely Important 7.8 6.8
Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability
%%cve:2022-21834%% No No Less Likely Less Likely Important 7.0 6.1
Workstation Service Remote Protocol Security Feature Bypass Vulnerability
%%cve:2022-21924%% No No Less Likely Less Likely Important 5.3 4.8


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Posted in: SANS

Leave a Comment (0) →