Picus Threat Library Updated for Critical HTTP Protocol Stack Vulnerability (CVE-2021-31166)

Keep up to date with latest blog posts

Picus Labs has updated the Picus Threat Library with new vulnerability exploitation attacks that exploit HTTP Protocol Stack Remote Code Execution (RCE) Vulnerability (CVE-2021-31166) [1]. This vulnerability is very critical since it is a wormable remote code execution vulnerability of an essential component of IIS (Internet Information Services) web server in Windows OSs.

 

 

 

Affected Software

Vulnerability Type

CVSS 3.1 Base Score

Affected Platforms

HTTP Protocol Stack (HTTP.sys)

Remote Code Execution (RCE)

9.8 Critical

Windows Server v. 2004

Windows 10 v. 2004

Windows 10 v. 20H1

Windows 10 v. 20H2

The HTTP Protocol Stack (HTTP.sys) is a kernel-mode device driver responsible for listening for HTTP requests from the network, passing the requests onto IIS for processing, and then returning processed responses to client browsers. Since HTTP.sys is the default protocol listener of IIS that listens for HTTP and HTTP requests, it is a major component of IIS. The vulnerability is due to a design flaw in the maintenance of a circular doubly linked list in UlpParseAcceptEncoding routine of HTTP.sys. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted packet to a targeted server that runs the HTTP Protocol Stack (http.sys). Windows Remote Management (WinRM) and Web Services on Devices (WSDAPI) are also affected by this vulnerability [2].

 Attack Simulation

Test your security controls against this vulnerability using Picus Security Control Validation Platform. Picus Threat Library includes the following threat for CVE-2021-31166 vulnerability. It contains 713 vulnerability exploitation threats in addition to 10.000+ other threats as of May 24, 2021.

Picus ID

Threat Name

804289

HTTP Protocol Stack Remote Code Execution Vulnerability Variant-1

Mitigation Recommendations

Picus Mitigation Library provides following signatures to prevent attacks trying to exploit CVE-2021-31166 vulnerability. It contains 64.155 prevention signatures as of May 24, 2021.

Product

SignatureId

SignatureName

F5 BIG-IP

200012070

HTTP Protocol Stack Remote Code Execution Vulnerability

PaloAlto IPS

91146

Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability

Snort

1.2032962.1

ET EXPLOIT Windows HTTP Protocol Stack UAF/RCE Inbound (CVE-2021-31166)

Snort

1.57605.1

OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt

SourceFire IPS

1.57605.1

OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt

TippingPoint

39732

HTTP: Microsoft IIS HTTP Protocol Stack Remote Code Execution Vulnerability

Microsoft addressed this vulnerability in the May patch release cycle and recommended patching affected operating systems [3].

References

[1]  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-CVE-2021-31166

[2] https://github.com/0vercl0k/CVE-2021-31166

[3] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166

Subscribe

Keep up to date with latest blog posts