1 – When will an exploit be available?
Who knows. Microsoft rates the exploitability as “Exploitation More Likely.” I suggest you patch this week.
2 – Which versions are affected?
Microsoft’s advisory is a bit oddly worded. But at this point, my best read of it is: The vulnerable code was introduced in Windows Server 2019 and Windows 10 version 1809. But these versions of Windows had a registry key set by default disabling the feature. All later versions are vulnerable “out of the box.” For Windows Server 2019 and Windows 10 Version 1809, the “HKLM:SystemCurrentControlSetServicesHTTPParameterEnableTrailerSupport” is set to 0 by default disabling trailers. You can check this registry value in Powershell (thanks, Rob)l:
Get-ItemProperty “HKLM:SystemCurrentControlSetServicesHTTPParameters” | Select-Object EnableTrailerSupport
3 – Am I vulnerable if I do not have IIS enabled?
Possibly. This is NOT an IIS vulnerability, but a vulnerability in http.sys. http.sys is probably best described as the core HTTP engine inside IIS. But other software using http.sys and possibly exposing the vulnerability: WinRM (Windows Remote Management), WSDAPI (Web Services for Devices) for example, expose http.sys. For a quick list of processes using http.sys, try:
netsh http show servicestate
4 – What is an attacker able to do with this vulnerability?
Microsoft implemented http.sys as a kernel-mode driver. In other words: Running code via http.sys can lead to a complete system compromise. However, past vulnerabilities (for example, CVE-2021-31166) were never fully exploited as several techniques were used to mitigate exploitation, and PoCs released were only able to cause a denial of service. The CVSS 3.1 base score for the vulnerability is 9.8 out of 10.
5 – Does a web application Firewall help?
Likely yes. You could start (at your own risk) to block requests with trailers. Maybe log them first to see if you see legitimate uses (let us know what uses them and how). For details, ask your web app firewall vendor.
6 – Was there a similar severe vulnerability in the past?
In 2015, we had a similar fire drill for CVE-2015-1635 (MS15-34). Maybe you kept notes? They will come in handy now. This Range header vulnerability never amounted to much.
7 – What are these Trailers about anyway?
Trailers are defined in RFC7230. They only make sense if “Transfer-Encoding: chunked" is used. With chunked encoding, the body of a request or response is transmitted in small chunks. A length precedes each chunk in bytes. The idea behind this is that you may not know how long it will be as you start sending a message. In addition, chunked encoding does allow the sender to delay sending headers until the body is sent. These become “trailers.” Here is a quick sample request:
POST / HTTP/1.1
The RFC states that “the sender SHOULD generate a Trailer header,” suggesting it is not mandatory. This may complicate filtering if an exploit does not use a Trailer header (again: I am speculating what an exploit may look like, but having a trailer without a corresponding trailer header may cause some confusion).
For responses, http.sys only supports trailers for http/2. I haven’t found any documentation for requests yet.
8 – Will we go to Infocon Yellow again?
Once we see exploitation of this vulnerability.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.