.svg)
.svg)
The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
Picus Labs has updated the Picus Threat Library with new vulnerability exploitation attacks that exploit HTTP Protocol Stack Remote Code Execution (RCE) Vulnerability (CVE-2021-31166) [1]. This vulnerability is very critical since it is a wormable remote code execution vulnerability of an essential component of IIS (Internet Information Services) web server in Windows OSs.
|
Affected Software |
Vulnerability Type |
CVSS 3.1 Base Score |
Affected Platforms |
|
HTTP Protocol Stack (HTTP.sys) |
Remote Code Execution (RCE) |
9.8 Critical |
Windows Server v. 2004 Windows 10 v. 2004 Windows 10 v. 20H1 Windows 10 v. 20H2 |
The HTTP Protocol Stack (HTTP.sys) is a kernel-mode device driver responsible for listening for HTTP requests from the network, passing the requests onto IIS for processing, and then returning processed responses to client browsers. Since HTTP.sys is the default protocol listener of IIS that listens for HTTP and HTTP requests, it is a major component of IIS. The vulnerability is due to a design flaw in the maintenance of a circular doubly linked list in UlpParseAcceptEncoding routine of HTTP.sys. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted packet to a targeted server that runs the HTTP Protocol Stack (http.sys). Windows Remote Management (WinRM) and Web Services on Devices (WSDAPI) are also affected by this vulnerability [2].
Attack Simulation
Test your security controls against this vulnerability using Picus Security Control Validation Platform. Picus Threat Library includes the following threat for CVE-2021-31166 vulnerability. It contains 713 vulnerability exploitation threats in addition to 10.000+ other threats as of May 24, 2021.
|
Picus ID |
Threat Name |
|
804289 |
HTTP Protocol Stack Remote Code Execution Vulnerability Variant-1 |
Mitigation Recommendations
Picus Mitigation Library provides following signatures to prevent attacks trying to exploit CVE-2021-31166 vulnerability. It contains 64.155 prevention signatures as of May 24, 2021.
|
Product |
SignatureId |
SignatureName |
|
F5 BIG-IP |
200012070 |
HTTP Protocol Stack Remote Code Execution Vulnerability |
|
PaloAlto IPS |
91146 |
Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability |
|
Snort |
1.2032962.1 |
ET EXPLOIT Windows HTTP Protocol Stack UAF/RCE Inbound (CVE-2021-31166) |
|
Snort |
1.57605.1 |
OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt |
|
SourceFire IPS |
1.57605.1 |
OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt |
|
TippingPoint |
39732 |
HTTP: Microsoft IIS HTTP Protocol Stack Remote Code Execution Vulnerability |
Microsoft addressed this vulnerability in the May patch release cycle and recommended patching affected operating systems [3].
References
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-CVE-2021-31166
[2] https://github.com/0vercl0k/CVE-2021-31166
[3] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166
