CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability

Overview

Severity
Critical (CVSS 9.8)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C
Category
Remote Code Execution
Exploit Status
Not Exploited
Exploitation Likelihood
More Likely
Patch Tuesday
2021-May
Released
2021-05-11
EPSS Score
92.99% (percentile: 99.8%)
CISA KEV
Listed — due 2022-04-27

FAQ

How could an attacker exploit this vulnerability? In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. Is this wormable? Yes. Microsoft recommends prioritizing the patching of affected servers.

Known Exploits (10)

  • Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability — added 2023-07-05T03:53:10Z
  • Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability — added 2022-11-22T09:10:36Z
  • Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability — added 2022-03-07T18:56:52Z
  • Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability — added 2021-07-03T14:54:59Z
  • Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability — added 2021-05-21T10:38:41+08:00
  • Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability — added 2021-05-20T05:00:38+08:00
  • Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability — added 2021-05-19T07:50:40Z
  • Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability — added 2021-05-18T20:34:58+08:00
  • Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability — added 2021-05-17T11:12:45Z
  • Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability — added 2021-05-16T16:15:56Z

Detection & Weaponization (3 sources)

Maturity: Detection

  • Metasploit modules: Windows IIS HTTP Protocol Stack DOS
  • YARA rules: exploit_cve_2021_31166.yar, SIGNATURE_BASE_EXPL_CVE_2021_31166_Accept_Encoding_May21_1
  • GitHub PoC: 10 repositories

Affected Products (7)

Windows

  • Windows 10 Version 2004 for 32-bit Systems
  • Windows 10 Version 2004 for ARM64-based Systems
  • Windows 10 Version 2004 for x64-based Systems
  • Windows Server, version 2004 (Server Core installation)
  • Windows 10 Version 20H2 for 32-bit Systems
  • Windows 10 Version 20H2 for ARM64-based Systems
  • Windows Server, version 20H2 (Server Core Installation)

Security Updates (1)

Acknowledgments

Microsoft Platform Security & Vulnerability Research

Revision History

  • 2021-05-11: Information published.