As part of the May “Patch Tuesday” Microsoft has fixed a dangerous bug with worm potential in Internet Information Services (IIS), which received the identifier CVE-2021-31166.
The vulnerability is related to corruption of information in the memory of the HTTP protocol stack, which is included in all recent versions of Windows. This stack is used by the Windows IIS server. If this server is active, an attacker can send it a specially prepared packet and execute malicious code at the OS kernel level.
Worse, Microsoft warned that the vulnerability has the potential of a worm, that is, it could be used to create malware that spreads itself from server to server.
An exploit for this problem was recently published in the public domain. Fortunately, the vulnerability affects only the newest versions of the OS: Windows 10 2004 and 20H2, as well as Windows Server 2004 and 20H2, which are not yet very widespread.
Security researcher Jim DeVries has now discovered that the vulnerability also affects devices running Windows 10 and Windows Server running the Windows Remote Management (WinRM) service, a Windows Hardware Management component that also exploits the vulnerable HTTP.sys.
And if ordinary users have to enable WinRM manually, then on corporate endpoints of Windows Server WinRM is enabled by default, which makes them vulnerable to attacks if they use Windows versions 2004 or 20H2.
DeVries’ findings have already been confirmed by CERT/CC analyst Will Dormann, who successfully compromised the system using a previously published DoS exploit.
Dormann also discovered that more than 2,000,000 systems with the WinRM service running can be found on the network, although not all of them are vulnerable to CVE-2021-31166, because, as mentioned above, the bug affects only Windows 10 and Windows Server versions 2004 and 20H2.
Let me remind you that I also wrote that Microsoft developed a SimuLand lab environment for simulating cyberattacks.