Microsoft included in its latest update package a security patch to address a critical vulnerability in HTTP Protocol Stack in Windows IIS that could also have affected un patched Windows 10 and Windows Server systems that publicly expose the WinRM Remote Management Service.
This vulnerability was tracked as CVE-2021-31166 and was updated last Tuesday, cybersecurity specialists point out. The flaw only affected Windows 10 and Windows Server versions 2004 20H2.
In the face of this flaw, Microsoft recommended that affected system administrators implement security patches to prevent arbitrary code execution. On the other hand, security researcher Axel Souchet published a proof-of-concept (PoC) exploit code that could force a crash of vulnerable systems.
As mentioned at startup, the flaw was found in the HTTP protocol (HTTP.sys) stack that Windows IIS uses as a protocol listener for processing HTTP requests, as well as impacting Windows 10 and Server systems running the WinRM service.
Although individual users must manually enable the WinRM service on their systems, Windows Server endpoints in enterprise environments have this utility enabled by default, so administrators of versions 2004 or 20H2 might be affected.
This flaw was initially reported by cybersecurity specialist Jim DeVries and subsequently confirmed by CERT/CC vulnerability analyst Will Dorman, who successfully managed to demonstrate an attack using the DoS exploit developed by Souchet.
Dormann also discovered that more than 2 million Windows systems expose the WinRM service over the Internet. Luckily it’s not all bad news, as only a small set of all these exposed systems are vulnerable because the flaw only affects 2004 and 20H2 versions.
Because the exploit is publicly known, threat actors could deploy remote code execution campaigns against systems that remain vulnerable. The actual impact of this vulnerability is also limited because users do not use WinRM by default. Similarly, many companies should probably be safe from attacks against this add-on, as they generally do not deploy the latest versions of Windows Server as soon as they are released.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.