People that travel is always a risk
  • Insight
  • 5 min read

A Truesec Investigation

Vulnerability Analysis of CVE-2022-21907 – HTTP Protocol Stack RCE

A potentially very serious vulnerability has been discovered (and patched) in HTTP.sys, a kernel mode device driver in Microsoft Windows responsible for managing HTTP-requests to and from various system services and subsystems.

What’s Going On?

On January 11, 2022, Microsoft released a patch[1] for a security vulnerability in their HTTP protocol stack, with an assigned CVE-name of CVE-2022-21907 [2]. The HTTP protocol stack (HTTP.sys) should be viewed as the foundation upon which much HTTP-related functionality relies. It is responsible for managing the processing of incoming HTTP-requests in various system services and subsystems of Microsoft operating systems and products. [7]

The patch addresses a remotely exploitable vulnerability requiring no authentication, making this an attractive vulnerability by threat-actor standards. Historically (back in May 2021), a similar vulnerability was disclosed in the same device driver, but exploitation never materialized into internet-wide exploitation due to existing and mitigative countermeasures.

News From Around the Internet

Security researchers have begun to reverse engineer the patch, as expected, and initial results have been published online. [6]

Update 2022-01-13: There now appears to be a working proof-of-concept for the vulnerability resulting in a denial-of-service. Granted, this is the most immediate and first step towards the goal of achieving a full remote code execution.

What Should We Be Doing?

Applying available patches is always recommended but might not always be feasible, depending on factors such as the size of your organization, diversity and complexity of systems, and so forth.

Ensure there is an up-to-date inventory of your publicly accessible systems, and then double-check if any of these publicly accessible systems are vulnerable by running the following PowerShell-command [3]:

Get-ItemProperty "HKLM:SystemCurrentControlSetServicesHTTPParameters" | Select-Object EnableTrailerSupport

Special Notes

Microsoft Active Directory Federation Services (Microsoft AD FS)

Considering the importance of Microsoft Active Directory Federation Services it’s especially important to note that AD FS uses the HTTP Protocol Stack (http.sys). The default state of the HTTP Trailer support is enabled, on AD FS servers running Windows Server 2022 and Windows Server version 20H2, but not on Windows Server 2019 as indicated by Microsoft.

On Windows Server 2019, the feature must be manually enabled through the registry.

What About the Impact?

While still early, and assuming the vulnerability can be weaponized, this vulnerability presents a very attractive target that is highly likely going to be exploited by threat-actors. The vulnerability exists in many Microsoft-based operating systems and services such as Internet Information Services (IIS), thus increasing the possibility it will be abused broadly across many organizations. It is, however, important to note that the vulnerability exists in HTTP.sys, which has been implemented as a kernel mode device driver. Prior vulnerabilities in the HTTP.sys device driver have been difficult to exploit and have only resulted in a denial-of-service.

Consequently, the vulnerability will be used as an initial access vector as described by MITRE ATT&CK and T1190 [5], Exploit Public-Facing Application.

This vulnerability will likely be leveraged by Initial Access Brokers (IABs) and successfully exploited systems will be put up for sale to the highest bidder on various marketplaces. A likely, and perhaps obvious, outcome of this is that ransomware operators and their many affiliates will be buying access. However, we will also likely see more targeted compromises by advanced persistent threats (APTs).

What’s Coming Next?

Given the attractiveness of this vulnerability we’ll likely see quite a bit of chatter about it. Threat-actors will quickly attempt to reverse-engineer the patch. Again, given how broadly this vulnerability may be exploited, it will probably not take more than a few days until exploitation attempts have commenced.

We’ll very likely see broad scanning and exploitation attempts by a wide range of threat-actors and security researchers. Threat feeds will light up with alleged scanners, and at times it will appear as if the entire IPv4-space is attacking your organization.

This initial wave will be followed by more targeted attempts at exploitation. A common TTP here is the use of VPN (T1572) and VPS-services (T1583) to perform scanning and vulnerability exploitation. Hiding behind these types of services is a good indicator of a more nefarious intent. Security researchers will likely not attempt to hide their origins.

Historical Backdrop

There have been some earlier [4] exploitation attempts of vulnerabilities in the HTTP.sys device driver. These vulnerabilities were rather quickly reverse engineered and proof-of-concept code was soon published allowing exploitation of the vulnerabilities.


2022-01-13: Information about an apparently working proof-of-concept exploit causing a denial-of-service.

2022-01-13: Initial publication.