Picus Labs has expanded the Picus Threat Library with new simulations that replicate exploitation of the HTTP Protocol Stack Remote Code Execution vulnerability, CVE-2021-31166 [1]. This flaw is especially severe because it is wormable and affects an underlying Windows component that powers Microsoft Internet Information Services. An unauthenticated attacker can send crafted HTTP requests to a vulnerable, internet-facing service and achieve remote code execution, which can lead to full system compromise, service outages, and rapid lateral impact across adjacent hosts.
The new scenarios emulate real attacker behavior end to end, from initial probing and payload delivery to post-exploitation actions, so security teams can measure true exposure rather than rely on assumptions. Mapped to MITRE ATT&CK techniques such as Exploit Public-Facing Application, these tests help validate IDS and WAF signatures, EDR detections, and SIEM correlations. Organizations should apply vendor patches promptly, restrict and monitor inbound HTTP traffic, segment critical services, and maintain tested backups. Running these Picus simulations regularly confirms that controls detect and block CVE-2021-31166 exploitation attempts and that response playbooks work as intended.
|
Affected Software |
Vulnerability Type |
CVSS 3.1 Base Score |
Affected Platforms |
|
HTTP Protocol Stack (HTTP.sys) |
Remote Code Execution (RCE) |
9.8 Critical |
Windows Server v. 2004 Windows 10 v. 2004 Windows 10 v. 20H1 Windows 10 v. 20H2 |
The HTTP Protocol Stack (HTTP.sys) is a kernel-mode device driver responsible for listening for HTTP requests from the network, passing the requests onto IIS for processing, and then returning processed responses to client browsers. Since HTTP.sys is the default protocol listener of IIS that listens for HTTP and HTTP requests, it is a major component of IIS. The vulnerability is due to a design flaw in the maintenance of a circular doubly linked list in UlpParseAcceptEncoding routine of HTTP.sys. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted packet to a targeted server that runs the HTTP Protocol Stack (http.sys). Windows Remote Management (WinRM) and Web Services on Devices (WSDAPI) are also affected by this vulnerability [2].
Attack Simulation
Test your security controls against this vulnerability using Picus Security Control Validation Platform. Picus Threat Library includes the following threat for CVE-2021-31166 vulnerability. It contains 713 vulnerability exploitation threats in addition to 10.000+ other threats as of May 24, 2021.
|
Picus ID |
Threat Name |
|
804289 |
HTTP Protocol Stack Remote Code Execution Vulnerability Variant-1 |
Mitigation Recommendations
Picus Mitigation Library provides following signatures to prevent attacks trying to exploit CVE-2021-31166 vulnerability. It contains 64.155 prevention signatures as of May 24, 2021.
|
Product |
SignatureId |
SignatureName |
|
F5 BIG-IP |
200012070 |
HTTP Protocol Stack Remote Code Execution Vulnerability |
|
PaloAlto IPS |
91146 |
Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability |
|
Snort |
1.2032962.1 |
ET EXPLOIT Windows HTTP Protocol Stack UAF/RCE Inbound (CVE-2021-31166) |
|
Snort |
1.57605.1 |
OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt |
|
SourceFire IPS |
1.57605.1 |
OS-WINDOWS Microsoft Windows HTTP protocol stack remote code execution attempt |
|
TippingPoint |
39732 |
HTTP: Microsoft IIS HTTP Protocol Stack Remote Code Execution Vulnerability |
Microsoft addressed this vulnerability in the May patch release cycle and recommended patching affected operating systems [3].
References
[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-CVE-2021-31166
[2] https://github.com/0vercl0k/CVE-2021-31166
[3] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166