Jan 17, 2022
3 Minutes
On January 11, 2022, a security vulnerability was identified, and Microsoft assigned the CVE 2022-21907 with CVSS of 9.8.
As of now (1/16/2022) Microsoft is not aware of exploitations for this CVE in the wild but urges clients to immediately apply the security patches they released in Microsoft’s January 2022 Patch Tuesday that addresses CVE-2022-21907.
The publicly disclosed vulnerability targets operating systems that are utilizing the HTTP Protocol Stack (http.sys) to process packets.
In Windows Server 2003 Microsoft introduced the http.sys driver, which launches the http stack application and listens for http and https requests.
HTTP.sys listens for HTTP requests from the network, passes the requests onto IIS for processing, and then returns processed responses to client browsers.
Among the services that use the http.sys driver you can find IIS and WINRM.
In case the exploitation is successful, an unauthenticated attacker with network access to the target machine can achieve remote code execution on the target machine. The attack is performed by sending a specially crafted packet, without user interaction needed on the victim’s end.
According to Microsoft, the following operating systems are vulnerable:
For more information: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907
Yes. By using Orca Security you have full visibility and coverage on your assets that show you if and where you are vulnerable, so you can take action to mitigate the risk, and apply ]security measures.
Orca Security detects CVE-2022-21907 and alerts on the vulnerable assets as shown below:
I invite you to experience our tech and talent first-hand with a no-obligation, free cloud risk assessment. You’ll get complete visibility into your public cloud, a detailed risk report (including CVE-2022-21907), an executive summary, and time with our cloud security experts.
Discover Your Cloud Vulnerabilities In Minutes
Scan your entire AWS, Azure, and Google Cloud environments for vulnerabilities with Orca Security’s free, no obligation risk assessment.