Learn About the CVE-2022-21907 Vulnerability
Share with Your Network
It’s Exploit Wednesday, and February’s Vuln of the Month is an HTTP protocol stack remote code execution vulnerability. While we have no evidence this vuln has been exploited to date, in this case, it’s worth patching if you’re a potential target.
CVE-2022-21907 is an unusual choice for Vuln of the Month (it earns the lowest Kenna Risk Meter score of any vuln yet featured in this series). But this CVE can pose real trouble to organizations running Windows Server 2019 and Windows 10 version 1809 under certain conditions—if exploit code should materialize at some point.
Our research shows that CVE-2022-21907 meets many of the criteria we look for in a vulnerability that could be exploited, including:
- Access complexity: Low
- Potential attack surface: Broad
- Exploitable remotely: Yes
- Authentication/privilege requirements: None
- Potential impact on availability: High
- Exploit code published: No
- Active exploits observed: No
The Kenna Risk Score for CVE-2022-21907 is 41, the lowest score of any vuln we’ve featured in this series. Yet despite this seemingly low score, this CVE still represents a higher risk than 90.9% of all vulns we’ve scored. Considering it has received a “Critical” score of 9.8 from CVSS 3.x and 10.0 “High” rating from CVSS 2.0, it’s clear this vuln poses a risk to someone. And if it’s ever exploited, that risk level will likely jump.
Why CVE-2022-21907 matters
Virtually any Windows-related vulnerability at least deserves a look. CVE-2022-21907 is no different. Here we see a remote code execution vulnerability that, under the right conditions, can lead to a shutdown of servers, systems, or services. Attackers need no privileges; they just need to find organizations running Windows Server 2019 and Windows 10 Version 1809 that have enabled HTTP Trailer Support via the EnableTrailer Support registry value. That’s quite a specific requirement but it’s not nothing. And while it hasn’t been exploited to our knowledge yet, Microsoft’s own index for assessing exploitability rates exploitation as “more likely” for CVE-2022-21907. In Microsoft’s index, the only more severe rating is “exploitation detected.”
Scoring potential vs. current risk
CVE-2022-21907 is an interesting vuln to spotlight because it offers a chance to explore the difference between a vulnerability score like CVSS and a true risk score. This CVE receives high scores from CVSS but, on a relative scale, it earns a lower score from Kenna’s Risk Score methodology. One reason is that CVSS is measuring the maximum potential severity of this CVE, and since it impacts a couple versions of popular Microsoft platforms, that tends to amplify scores a bit. A Kenna Risk Score, in contrast, measures the current risk level of the CVE. Kenna takes into account all the technical criteria CVSS uses, but also layers in vital contextual data, including the behaviors of attackers and their expected exploit trajectories. Because exploits have not been reported for CVE-2022-21907, it remains more of future risk than an imminent one. Here, CVSS is covering its bases, because CVSS scores generally do not change over time. But as we’ve noted recently, vulnerabilities are dynamic and so are their risk levels.
Still, many organizations rely on CVSS scores to prioritize their fix lists, and they tend to try to fix all CVEs with a CVSS score of 7 or higher. But that strategy comes at a price: One out of every three CVEs earns a CVSS score of 7 or higher. Apply that to the 20,000+ vulnerabilities added to the NVD last year, and you are talking about one really, really long fix list.
A preferred approach is to prioritize the vulnerabilities that represent the biggest risk to your organization right now and to use a dynamic scoring system capable of showing you the CVEs most worth your very limited and valuable time. That way, you won’t be chasing vulns that might be a risk one day while ignoring others whose risk to you and your business is much more immediate.
This is a relatively easy fix for affected Microsoft users, but since no exploits have been observed yet, it may not deserve to top your fix list today. But you should consider addressing it before too long.
Cisco Talos has an overview of every vulnerability Microsoft patched in January, along with Snort rules to keep users protected, over on their blog, and February’s Patch Tuesday roundup can be found here.
On Jan. 12, Microsoft issued a security update guide that details the registry edit needed to close this vulnerability in Windows Server 2019 and Windows 10 Version 1809.
Watch this space for regular Vuln of the Month spotlights, which appear on Exploit Wednesday, the day following Microsoft’s monthly Patch Tuesday patch release. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.