1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability

Known Exploited Vulnerabilities CVE-2021-31166 Mappings

HTTP Protocol Stack Remote Code Execution Vulnerability

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2021-31166 Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability primary_impact T1059 Command and Scripting Interpreter
Comments
This memory corruption vulnerability is exploited by a remote, unauthenticated attacker via crafted HTTP packets to a server that uses http.sys to process packets. Adversaries may leverage this vulnerability to execute malicious code on the OS kernel. This vulnerability has a proof of concept validating that it can be wormable. However, exploitations in the wild linking to this type of impact have not been published. The North Korean state-backed hacker group known as the Lazarus Group has been attributed to leveraging this vulnerability in their attacks to gain initial access to Windows IIS servers. Once initial access is gained, they have exploited the vulnerable system to perform data theft, disrupt services, propagate malware, or conduct espionage or surveillance. **team review - AttackerKB links Command and Scripting to this vulnerability, but I have not found any threat reports linking this impact to an actual attack. The only "in the wild" report I found was by SecureBlink linking it to the Lazarus Group to gain initial access. Unsure what primary impact we can link to here.
References
  1. https://www.secureblink.com/cyber-security-news/lazarus-hacking-group-exploiting-vulnerable-windows-iis-web-servers
  2. https://attackerkb.com/topics/pZcouFxeCW/cve-2021-31166/rapid7-analysis
  3. https://therecord.media/poc-released-for-wormable-windows-iis-bug
CVE-2021-31166 Microsoft HTTP Protocol Stack Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
This memory corruption vulnerability is exploited by a remote, unauthenticated attacker via crafted HTTP packets to a server that uses http.sys to process packets. Adversaries may leverage this vulnerability to execute malicious code on the OS kernel. This vulnerability has a proof of concept validating that it can be wormable. However, exploitations in the wild linking to this type of impact have not been published. The North Korean state-backed hacker group known as the Lazarus Group has been attributed to leveraging this vulnerability in their attacks to gain initial access to Windows IIS servers. Once initial access is gained, they have exploited the vulnerable system to perform data theft, disrupt services, propagate malware, or conduct espionage or surveillance. **team review - AttackerKB links Command and Scripting to this vulnerability, but I have not found any threat reports linking this impact to an actual attack. The only "in the wild" report I found was by SecureBlink linking it to the Lazarus Group to gain initial access. Unsure what primary impact we can link to here.
References
  1. https://www.secureblink.com/cyber-security-news/lazarus-hacking-group-exploiting-vulnerable-windows-iis-web-servers
  2. https://attackerkb.com/topics/pZcouFxeCW/cve-2021-31166/rapid7-analysis
  3. https://therecord.media/poc-released-for-wormable-windows-iis-bug