IIS bug with worm potential poses a threat to WinRM servers

As part of the May “Patch Tuesday” Microsoft has fixed a dangerous bug with worm potential in Internet Information Services (IIS), which received the identifier CVE-2021-31166.

Last week, many researchers and information security companies wrote that this vulnerability is one of the most serious problems fixed this month (9.8 out of 10 on the CVSS v3 scale).

The vulnerability is related to corruption of information in the memory of the HTTP protocol stack, which is included in all recent versions of Windows. This stack is used by the Windows IIS server. If this server is active, an attacker can send it a specially prepared packet and execute malicious code at the OS kernel level.

Worse, Microsoft warned that the vulnerability has the potential of a worm, that is, it could be used to create malware that spreads itself from server to server.

An exploit for this problem was recently published in the public domain. Fortunately, the vulnerability affects only the newest versions of the OS: Windows 10 2004 and 20H2, as well as Windows Server 2004 and 20H2, which are not yet very widespread.

Security researcher Jim DeVries has now discovered that the vulnerability also affects devices running Windows 10 and Windows Server running the Windows Remote Management (WinRM) service, a Windows Hardware Management component that also exploits the vulnerable HTTP.sys.

I haven’t seen it discussed anywhere, do you think think this vuln could be exploited thru WinRM on 5985? The system process on my non-IIS Win10 pc appears to load http.says. I finally found time to answer my own question. WinRM *IS* vulnerable. This really expands the number of vulnerable systems, although no one would intentionally put that service on the internet.Jim DeVries wrote.

And if ordinary users have to enable WinRM manually, then on corporate endpoints of Windows Server WinRM is enabled by default, which makes them vulnerable to attacks if they use Windows versions 2004 or 20H2.

I don’t think this is a big risk for home PCs, but if someone crosses [a vulnerability] with a worm and ransomware, it can all grow wildly in the corporate environment.the expert warns.

DeVries’ findings have already been confirmed by CERT/CC analyst Will Dormann, who successfully compromised the system using a previously published DoS exploit.

Dormann also discovered that more than 2,000,000 systems with the WinRM service running can be found on the network, although not all of them are vulnerable to CVE-2021-31166, because, as mentioned above, the bug affects only Windows 10 and Windows Server versions 2004 and 20H2.

Let me remind you that I also wrote that Microsoft developed a SimuLand lab environment for simulating cyberattacks.