Pinewood Security Bulletin – Critical vulnerabilities in Microsoft Windows
Multiple vulnerabilities have been found in Microsoft Windows. Two of these vulnerabilities are given the CVSS-score of 9.8, which measures the vulnerabilities as highly critical. Both vulnerabilities can be used by unauthenticated attackers for remote code execution. The highest threat is the vulnerability of CVE-2022-21907.
CVE-2022-21907: the vulnerability is in the HTTP Protocol stack (http.sys) and an unauthenticated attacker can remotely execute random code on a vulnerable system by sending specially crafted network packets. Microsoft indicates that this vulnerability is possibly ‘wormable’. This means that without interference of users malicious software can be spread to other vulnerable systems. Although there is no Proof-of-Concept of the exploit available at the time of writing, the NCSC expects this to be available soon.
CVE-2022-21849: the vulnerability is in the Microsoft IKE Key Exchange for IPSec and can only be used when IPSec is active. The vulnerability can help attackers to execute remote code.
The following products needs updates:
- Windows 10 Version 1809, 20H2, 21H1, 21H2
- Windows 11
- Windows Server 2016, 2019, 2022
Exploitation is not limited to server application, client software can also be affected.
In Windows Server 2019 and Windows 10 version 1809, the HTTP Trailer Support feature that contains the vulnerability is not active by default. The following registry key must be configured to introduce the vulnerable condition:
This mitigation does not apply to the other affected versions.
Microsoft has released new updates to address the vulnerability. There have been reports that this update may not work well on servers configured as a L2TP VPN server, Pinewood recommends to take this into consideration before deploying the update.
For more information view the full NCSC article https://www.ncsc.nl/actueel/advisory?id=NCSC-2022-0014
If you have any questions regarding this issue please contact Pinewood Support by phone 015 251 36 33 or via e-mail email@example.com.