Connect with us

Business

Patch Tuesday: Web security issues in the spotlight in Microsoft’s bumper January update

Published

on

A critical vulnerability in the Windows HTTP Protocol Stack presents a remote code execution (RCE) risk and could be “wormable”, Microsoft warns.

The vulnerability (tracked as CVE-2022-21907) stems from flaws in http.sys, a component of Windows that processes HTTP requests. Microsoft issued a patch to defend against the vulnerability yesterday (January 12) as part of the January edition of its regular, monthly Patch Tuesday updates.

Satnam Narang, staff research engineer at Tenable, commented: “To exploit this vulnerability, a remote, unauthenticated attacker could send a specially crafted request to a vulnerable server using the HTTP Protocol Stack.

“Microsoft warns that this vulnerability is wormable, meaning no human interaction would be required for an attack to spread from system to system.”

Danny Kim, principal architect at Virsec, added: “CVE-2022-21907 is a particularly dangerous CVE because of its ability to allow for an attack to affect an entire intranet once the attack succeeds. Microsoft has stated that this vulnerability is ‘wormable’ and should be patched immediately.”

blog post by the SANS Institute’s Internet Storm Center explains that the problem arises from coding flaws in the HTTP trailers feature.

The HTTP trailer support feature allows a sender to include additional fields in a message, a feature it turns out can be manipulated through a specially crafted message to run attacks.

Other flaws

The first Patch Tuesday in 2022 includes remediation for 126 CVEs, nine of which are rated critical.

The batch includes patches for three RCE vulnerabilities in Microsoft Exchange Server (CVE-2022-21846, CVE-2022-21969, CVE-2022-21855).

One of these flaws, CVE-2022-21846, was reported to Microsoft by the US National Security Agency

Although the flaw is not exploitable across the internet, and requires the victim and the attacker to share the same network, “an insider or attacker with a foothold in the target network could use this bug to take over the Exchange server,” a blog post by Trend Micro’s Zero Day Initiative warns.

The patch batch also includes an update for the open source cURL software, including a fix for an RCE vulnerability (CVE-2021-22947) that was originally disclosed last September.

Source: https://portswigger.net/daily-swig/patch-tuesday-web-security-issues-in-the-spotlight-in-microsofts-bumper-january-update

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO