Security News > 2021 > May > Wormable Windows HTTP vulnerability also affects WinRM servers

A wormable vulnerability in the HTTP Protocol Stack of the Windows IIS server can also be used to attack unpatched Windows 10 and Server systems publicly exposing the WinRM service.

Luckily, although it can be abused by threat in remote code execution attacks, the vulnerability ONLY impacts versions 2004 and 20H2 of Windows 10 and Windows Server.

As discovered by security researcher Jim DeVries, it also impacts Windows 10 and Server devices running the WinRM service, a component of the Windows Hardware Management feature set which also makes use of the vulnerable HTTP.sys.

While home users have to enable the WinRM service manually on their Windows 10 systems, enterprise Windows Server endpoints have WinRM toggled on by default which makes them vulnerable to attacks if they're running versions 2004 or 20H2. " is commonly used in corporate environments.

DeVries' findings have also been confirmed by CERT/CC vulnerability analyst Will Dormann who successfully crashed a Windows system exposing the WinRM service using Souchet's DoS exploit.

Luckily, only a subset of all these Internet-exposed Windows systems is vulnerable seeing that the vulnerability only impacts Windows 10 and Windows Server, versions 2004 and 20H2. The exploit's release could likely enable adversaries to create their own exploits faster, potentially also allowing remote code execution.

News URL

https://www.bleepingcomputer.com/news/security/wormable-windows-http-vulnerability-also-affects-winrm-servers/