CVE-2021-31166
📋 TL;DR
CVE-2021-31166 is a critical remote code execution vulnerability in the Microsoft HTTP Protocol Stack (http.sys) that allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges by sending specially crafted packets to vulnerable Windows servers. This affects Windows servers running the HTTP Protocol Stack, particularly those with HTTP/2 enabled. The vulnerability is wormable and can be exploited without user interaction.
💻 Affected Systems
- Windows Server 2019
- Windows Server 2022
- Windows 10 Version 20H2
- Windows 10 Version 21H1
📦 What is this software?
Windows 10 2004 by Microsoft
Windows 10 20h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to ransomware deployment, data exfiltration, lateral movement across networks, and persistent backdoor installation on vulnerable servers.
Likely Case
Remote code execution leading to server takeover, credential theft, and deployment of additional malware payloads.
If Mitigated
Attack blocked at network perimeter or by disabled HTTP/2; limited to denial of service if exploit fails.
🎯 Exploit Status
Exploit code is publicly available and has been observed in active attacks. The vulnerability is wormable and can spread rapidly across networks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2021 security updates (KB5003173 for Windows 10 20H2/21H1, KB5003197 for Server 2019, KB5003242 for Server 2022)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31166
Restart Required: Yes
Instructions:
1. Apply May 2021 Windows security updates from Microsoft Update. 2. For Windows Server, use Windows Update or download from Microsoft Update Catalog. 3. Restart affected systems after patch installation. 4. Verify patch installation via 'systeminfo' command.
🔧 Temporary Workarounds
Disable HTTP/2 Protocol
windowsDisables HTTP/2 in the HTTP Protocol Stack to prevent exploitation while maintaining HTTP/1.1 functionality.
netsh http add iplisten ipaddress=::
netsh http delete iplisten ipaddress=::
Block TCP Port 443/80 at Firewall
windowsBlocks inbound HTTP/HTTPS traffic to vulnerable servers until patching can be completed.
New-NetFirewallRule -DisplayName "Block HTTP/HTTPS" -Direction Inbound -Protocol TCP -LocalPort 80,443 -Action Block
🧯 If You Can't Patch
- Isolate vulnerable servers in separate network segments with strict firewall rules
- Implement network-based intrusion prevention systems (IPS) with signatures for CVE-2021-31166
🔍 How to Verify
Check if Vulnerable:
Check if system is running affected Windows versions with HTTP/2 enabled. Use 'systeminfo' to check OS version and 'netsh http show servicestate' to check HTTP/2 status.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify May 2021 security updates are installed via 'systeminfo' or 'Get-HotFix -Id KB5003173, KB5003197, KB5003242' in PowerShell.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Event ID 1 from http.sys with crash details
- IIS logs showing malformed HTTP/2 requests
- Security logs showing unexpected process creation from http.sys
Network Indicators:
- Malformed HTTP/2 packets with specific patterns targeting http.sys
- Unusual traffic to TCP port 443/80 from unknown sources
- Exploit patterns matching public PoC code
SIEM Query:
source="*windows*" event_id=1 process_name="http.sys" OR (http_user_agent CONTAINS "malformed" AND http_version="HTTP/2")🔗 References
- http://packetstormsecurity.com/files/162722/Microsoft-HTTP-Protocol-Stack-Remote-Code-Execution.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31166
- http://packetstormsecurity.com/files/162722/Microsoft-HTTP-Protocol-Stack-Remote-Code-Execution.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31166
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-31166
