CVE-2022-35748 – CVE-2022-35748 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2022-35748?

CVE-2022-35748 has a CVSS score of 7.5 (HIGH). CVE-2022-35748 is a denial-of-service vulnerability in HTTP.sys that allows remote attackers to crash affected Windows servers by sending specially crafted HTTP requests. This affects Windows servers running IIS with HTTP.sys enabled. The vulnerability can cause service disruption without requiring authentication.

📋 TL;DR

CVE-2022-35748 is a denial-of-service vulnerability in HTTP.sys that allows remote attackers to crash affected Windows servers by sending specially crafted HTTP requests. This affects Windows servers running IIS with HTTP.sys enabled. The vulnerability can cause service disruption without requiring authentication.

💻 Affected Systems

Products:

Windows Server
Windows

Versions: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows 11, Windows 10

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with HTTP.sys enabled (default in Windows Server with IIS).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage of web applications running on affected Windows servers, requiring server restart to recover.

🟠

Likely Case

Temporary service disruption affecting web application availability until the server recovers or is restarted.

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring in place to detect and block attack attempts.

🌐 Internet-Facing: HIGH - Internet-facing Windows servers with HTTP.sys are directly vulnerable to unauthenticated remote attacks.

🏢 Internal Only: MEDIUM - Internal servers are still vulnerable but attack surface is reduced by network segmentation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request can trigger the vulnerability, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: August 2022 security updates

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35748

Restart Required: Yes

Instructions:

1. Apply August 2022 Windows security updates. 2. Restart affected systems. 3. Verify update installation via Windows Update history.

🔧 Temporary Workarounds

Disable HTTP.sys

windows

Remove HTTP.sys from affected systems if not required

Disable-WindowsOptionalFeature -Online -FeatureName IIS-HttpSys

Network filtering

all

Implement network filtering to block suspicious HTTP requests

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable servers
Deploy web application firewall (WAF) with DoS protection rules

🔍 How to Verify

Check if Vulnerable:

Check Windows version and patch level via systeminfo command

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify August 2022 security updates are installed via Windows Update history

📡 Detection & Monitoring

Log Indicators:

HTTP.sys crash events in Windows Event Log
Unexpected IIS worker process restarts

Network Indicators:

Multiple malformed HTTP requests to same endpoint
Spike in HTTP 500 errors

SIEM Query:

EventID=1000 AND Source="HTTP" AND "HTTP.sys"

📊 Metadata

CVE ID: CVE-2022-35748

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published: May 31, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35748 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35748 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON