June Vuln of the Month: CVE-2021-31166
Share with Your Network
Yesterday was Patch Tuesday, so it’s time for Exploit Wednesday—the day we publish our latest Vuln of the Month blog. This month’s vuln is a great example of why static vulnerability scores can get you into trouble, because some vulns are anything but static. June’s Vuln of the Month is CVE-2021-31166, a wormable Use After Free vulnerability on various Windows operating systems that can result in an http.sys remote code execution attack summoning the dreaded Windows blue screen of death or much, much worse.
Our research shows that CVE-2021-31166 meets many of the criteria we look for to be widely exploited, including:
- Access complexity: Low
- Potential attack surface: Large
- Exploitable remotely: Yes
- Authentication/privilege requirements: None
- Potential impact on availability: Significant
- Exploit code published: Yes
- Active exploits observed: No
As the above graph illustrates, only 1.18% of observed vulnerabilities pose a greater risk than CVE-2021-31166.
Why CVE-2021-31166 matters
This Use After Free vulnerability has the potential for serious damage if an unauthenticated attacker sends a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets. It can be exploited remotely without any special authentication or credentials. The result could be a system crash and one of the least-loved sights for any Windows administrator: the BSOD. Even worse, the impact of a successful exploit to a business could be rendering web services, applications, websites, or data entirely unavailable.
It’s also important because Microsoft’s massive installed base gives many Windows vulnerabilities the potential to cause a ruckus. CVE-2021-31166 is no different.
Organizations running a web server for local development may be at risk of exploitation. So too are those running Windows Remote Management (WinRM) or Web Services on Devices (WSDAPI) on any of the following versions of Windows:
- Windows Server Ver. 2004 (or 20H1) (Server Core Installation)
- Windows 10 Ver. 2004 (or 20H1) for ARM64/x64/32-bit Systems
- Windows Server Ver. 20H2 (Server Core Installation)
- Windows 10 Ver. 20H2 for ARM64/x64/32-bit Systems
An example of static vs. dynamic scoring
CVE-2021-31166 is an excellent illustration of static vs. dynamic risk scores. Immediately after the CVE was first published on May 11, we assigned it a risk score of 56. As facts surrounding the relative risk associated with this vulnerability evolved, so did its Kenna Risk Score. And once the exploit code was published, its risk score jumped to 86. (See chart below.)
In contrast, despite the volatile risk profile of CVE-2021-31166, its CVSS scores have remained unchanged since they were first assigned. In the case of this CVE, that’s not such a worry for those who use CVSS 3.x to score their vulnerabilities, since this vuln was assigned a critical 9.8 score right out of the gate. But those who rely on CVSS 2.0 will see a score of just 7.5 for this CVE—which may not be high enough to land on their “fix now” list.
Of course, this issue is larger than any particular vuln, since the static nature of CVSS scores represents a risk to Security professionals who recognize the threat posed by a specific CVE can change over time, even if the CVSS score on which their remediation strategy is based does not. And it’s particularly concerning when they learn that many vulnerability scanners simply repackage CVSS scores as their vulnerability prioritization engines. In other words, if you or your scanner are relying on CVSS alone, you could be working from obsolete information.
CVE-2021-31166 is noteworthy, too, because it arrived two days before Kenna Security and Cyentia Institute published the seventh edition of our joint Prioritization to Prediction report series. The latest report covers an extensive analysis showing that when security researchers disclose exploit code to the public before a software developer can offer a patch, it offers clear and definitive advantages to attackers. Though the POC for this vuln followed the release of the patch, this new report takes a fascinating look at the issues surrounding publishing exploit code.
It’s absolutely worth a look.
A wormable remote code execution vulnerability on Microsoft platforms gets our attention any day, and it should warrant yours as well. And once POC code is published, the picture could change considerably. We recommend remediating CVE-2021-31166 immediately.
Microsoft released patches for CVE-2021-31166 on all known affected platforms as part of Patch Tuesday on May 11.
Watch this space for future Vuln of the Month spotlights. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.