PoC released for wormable Windows IIS bug

A security researcher has published over the weekend proof-of-concept exploit code for a wormable Windows IIS server vulnerability.

Tracked as CVE-2021-31166, the vulnerability was discovered internally by Microsoft’s staff and patched last week in the May 2021 Patch Tuesday.

Several security researchers and security firms who reviewed last week’s security updates considered the bug the most dangerous vulnerability Microsoft fixed in this month’s patch cycle.

The bug, which received a severity rating of 9.8 out of 10 on the CVSSv3 scale, is a memory corruption vulnerability in the HTTP protocol stack included with recent Windows versions.

This stack is used by the Windows built-in IIS server. If this server is enabled, Microsoft says that an attacker can send a malformed packet and execute malicious code right on the operating system kernel.

In a security advisory, Microsoft said the bug could be used to create network worms that jump from server to server and recommended “prioritizing the patching of affected servers.”

But while the bug sounds extremely dangerous, there are also a few mitigation factors. The first is that only recent versions of Windows are impacted.

This includes Windows 10 2004 and 20H2, and Windows Server 2004 and 20H2, which basically includes the Windows 10 and Windows Server OS versions released last year, which are very unlikely to have been broadly deployed in production environments.

On Sunday, former Microsoft engineer and current security researcher Axel Souchet released proof-of-concept code for exploiting CVE-2021-31166. The code does not include worming capabilities but only crashes an unpatched Windows system running an IIS server.

Nevertheless, the availability of proof-of-concept code is usually the first step towards attackers experimenting with this attack.

Even if the number of vulnerable Windows IIS servers might be small, this will not dissuade attackers; which usually take whatever they can get.

Microsoft would like to see customers patch their systems. All in all, Microsoft itself is very sensitive to these types of vulnerabilities, especially. In June 2019, a threat actor weaponized an Exim vulnerability to create a worm that spread through the company’s Linux-based Azure cloud servers. While Microsoft has most likely patched IIS servers on its Azure infrastructure, there are still other cloud providers and corporate networks where such servers might still be running.

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

Recent Posts

Facebook testing end-to-end encryption as a default on Messenger

Facebook has long been criticized for not using end-to-end encryption as a default option for…

3 days ago

CISA orders civilian agencies to patch Zimbra bug after mass exploitation

The Cybersecurity and Infrastructure Security Agency added two vulnerabilities found in products from digital collaboration…

3 days ago

AT&T denies connection to database of 23 million SSNs, says it may be tied to credit agency breach

Telecommunications giant AT&T denied any connection to a database of stolen information that included the…

3 days ago

U.S. shares photo of alleged Conti suspect, offers $10 million for intel

The U.S. State Department on Thursday said that it was offering a $10 million reward…

3 days ago

Suspected Tornado Cash developer arrested in Netherlands

Financial crime authorities in the Netherlands announced Friday that they had arrested a 29-year-old man…

3 days ago

NHS working with U.K. cyber authorities to assess ransomware attack on IT vendor

The United Kingdom’s National Health Service said it is working with the country’s National Cyber…

4 days ago