CVE-2021-31166 PoC Released

THE THREAT

On May 16th, 2021, a security researcher released Proof-of-Concept (PoC) exploit code for the Windows IIS server vulnerability CVE-2021-31166 (CVSS: 9.8). With this release, eSentire assesses widespread exploitation of this vulnerability is imminent.

CVE-2021-31166 was publicly announced on May 11th, 2021. Exploitation may allow for either Denial of Service (DoS) or Remote Code Execution (RCE). The currently available PoC exploit code demonstrates a DoS attack. Organizations are strongly recommended to apply security patches for this vulnerability as exploitation is expected.

What we’re doing about it

• MVS has a local plugin to identify devices vulnerable to CVE-2021-31166
• eSentire security teams continue to track this topic for additional details and detection opportunities

What you should do about it

• After performing a business impact review apply the official security patches provided by Microsoft

Additional information

CVE-2021-31166 is especially concerning as it is considered to be a wormable vulnerability. Wormable vulnerabilities can be abused to allow for automatic spread between vulnerable systems.

In an attack scenario, a threat actor could exploit this vulnerability by sending a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. Exploitation is considered simple, increasing the likelihood of exploitation in the immediate future.

eSentire produced an advisory on May 11th, with information on CVE-2021-31166 and other high severity vulnerabilities from Microsoft’s May Patch Tuesday release.

Impacted products:

• Windows Server, version 20H2
• Windows Server, version 2004
• Windows 10 (multiple versions)

References:

[1] https://github.com/0vercl0k/CVE-2021-31166
[2] https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166
[3] https://www.esentire.com/security-advisories/microsoft-patches-critical-vulnerabilities