CVE-2022-21907: Microsoft Windows HTTP protocol DOS vulnerability

Recently, a CVE for Microsoft Windows HTTP protocol stack was publicly disclosed where a remote, unauthenticated attacker can cause a full compromise of the system. It affects various Windows versions, including the new Windows 11 OS (ARM64 and x64-based systems).

There is a Proof Of Concept (PoC) already available publicly, which shows how this vulnerability can be used to crash (Windows Blue Screen of Death) the system. With a single iteration of the attack, the Windows device will restart and function normally but with continuous attack, this could lead to Denial of Service (DoS) conditions.

Microsoft has recently released patches addressing this vulnerability. You can read here.

Are you vulnerable?

The good thing is there are a few requirements all of which are to be fulfilled for an attacker to be able to exploit this vulnerability:

Attack in action

Configuring the target

Attacking the target

Accept-Encoding Value

On experimenting with the accept-encoding value multiple times, we have observed that, the minimal Accept-Encoding value that has been able to trigger the vulnerability has the following values (both are needed):

Leverage subscription service to stay ahead of attacks

Keysight's Application and Threat Intelligence (ATI) Subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Center continuously monitors threats as they appear in the wild and has just released a strike for this CVE as part of BreakingPoint System’s recent update 2022-02. More information is present here.

The strike includes many variations of the attack, which the attackers might use against your network.

Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing them to test their currently deployed security controls’ ability to detect or block such attacks. For more details, see BreakingPoint.