Update

Ontvang gratis het Pinewood Cybersecurity Dreigingsbeeld en Adviesrapport NL 2022

Lees verder

Pinewood Security Bulletin – Critical vulnerabilities in Microsoft Windows

Pinewood Security Bulletin – Critical vulnerabilities in Microsoft Windows

Multiple vulnerabilities have been found in Microsoft Windows. Two of these vulnerabilities are given the CVSS-score of 9.8, which measures the vulnerabilities as highly critical. Both vulnerabilities can be used by unauthenticated attackers for remote code execution. The highest threat is the vulnerability of CVE-2022-21907.

Description

CVE-2022-21907: the vulnerability is in the HTTP Protocol stack (http.sys) and an unauthenticated attacker can remotely execute random code on a vulnerable system by sending specially crafted network packets. Microsoft indicates that this vulnerability is possibly ‘wormable’. This means that without interference of users malicious software can be spread to other vulnerable systems. Although there is no Proof-of-Concept of the exploit available at the time of writing, the NCSC expects this to be available soon.

CVE-2022-21849: the vulnerability is in the Microsoft IKE Key Exchange for IPSec and can only be used when IPSec is active. The vulnerability can help attackers to execute remote code.

Affected Products

The following products needs updates:

  • Windows 10 Version 1809, 20H2, 21H1, 21H2
  • Windows 11
  • Windows Server 2016, 2019, 2022

 

Exploitation is not limited to server application, client software can also be affected.

Workaround

In Windows Server 2019 and Windows 10 version 1809, the HTTP Trailer Support feature that contains the vulnerability is not active by default. The following registry key must be configured to introduce the vulnerable condition:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\

“EnableTrailerSupport”=dword:00000001

This mitigation does not apply to the other affected versions.

 

Solution

Microsoft has released new updates to address the vulnerability. There have been reports that this update may not work well on servers configured as a L2TP VPN server, Pinewood recommends to take this into consideration before deploying the update.

References

For more information view the full NCSC article https://www.ncsc.nl/actueel/advisory?id=NCSC-2022-0014

Questions

If you have any questions regarding this issue please contact Pinewood Support by phone 015 251 36 33 or via e-mail support@pinewood.nl.

Richard Strooper

CTO / Manager SOC

015 251 36 36

info@pinewood.nl