Wormable Windows HTTP hole – what you need to know

2022-01-12 19:24

As you can imagine, some classes of RCE bug are considered much more wormable than others, especially bugs that can be triggered directly via a simple network interaction.

HTTP.sys is part of Windows and is available to any program that uses ASP.NET. HTTP.sys works on Windows 7 clients and later.

HTTP.sys works on Windows 2008 R2 servers and later.

Microsoft's own documentation notes that "HTTP.sys is useful [] where there's a need to expose the server directly to the Internet without using IIS.".

Affects only Windows Server 2019 and later server versions.

As far as we can tell, the reason that this vulnerability isn't present in earlier versions of Windows and Windows Server is that the bug was found in the code that deals with HTTP Trailers; HTTP Trailer support was only added after support for HTTP/2; and HTTP/2 support only arrived in the Windows 10 era.

News URL

https://nakedsecurity.sophos.com/2022/01/12/wormable-windows-http-hole-what-you-need-to-know/

#http #windows