1 – When will an exploit be available?
Who knows. Microsoft rates the exploitability as “Exploitation More Likely”. I suggest you patch this week.
2 – Which versions are affected?
Microsoft’s advisory is a bit oddly worded. But at this point, my best read of it is: The vulnerable code was introduced in Windows Server 2019 and Windows 10 version 1809. But these versions of Windows had a registry key set by default disabling the feature. All later versions are vulnerable “out of the box”. For Windows Server 2019 and Windows 10 Version 1809, the “HKLM:SystemCurrentControlSetServicesHTTPParameterEnableTrailerSupport” is set to 0 by default disabling trailers. You can check this registry value in Powershell (thanks Rob)l:
Get-ItemProperty “HKLM:SystemCurrentControlSetServicesHTTPParameters” | Select-Object EnableTrailerSupport
3 – Am I vulnerable if I do not have IIS enabled?
Possibly. This is NOT an IIS vulnerability, but a vulnerability in http.sys. http.sys is probably best described as the core HTTP engine inside IIS. But other software using http.sys and possibly exposing the vulnerability: WinRM (Windows Remote Management), WSDAPI (Web Services for Devices) for example expose http.sys. For a quick list of processes using http.sys, try:
netsh http show servicestate
4 – Does a web application Firewall help?
Likely yes. You could start (at your own risk) to just block requests with trailers. Maybe log them first to see if you see legitimate uses (let us know what uses them and how). For details, ask your web app firewall vendor.
5 – Was there a similar severe vulnerability in the past?
In 2015, we had a similar fire drill for CVE-2015-1635 (MS15-34). Maybe you kept notes? They will come in handy now. This Range header vulnerability never amounted to much.
6 – What are these Trailers about anyway?
Trailers are defined in RFC7230. They only make sense if “Transfer-Encoding: chunked" is used. With chunked encoding, the body of a request or response is transmitted in small chunks. Each chunk is preceded by a length in bytes. The idea behind this is that you may not know as you start sending a message how long it will be. In addition, chunked encoding does allow the sender to delay sending headers until the body is sent. These become “trailers”. Here is a quick sample request:
POST / HTTP/1.1
The RFC states that “the sender SHOULD generate a Trailer header” suggesting it is not mandatory. This may make filtering more difficult if an exploit does not use a Trailer header (again: I am speculating what an exploit may look like. But having a trailer without a corresponding trailer header may cause some confusion).
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.