Hello, welcome to the Wednesday, January 12, 2020 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

Let's patch Tuesday, and with that we got patches for 126 different vulnerabilities. Well,

that includes the chromium vulnerabilities that affect Microsoft Edge,

which were technically released last week. But well, the headliner of this patch Tuesday

is CVE 2022-21907.

This vulnerability affects HTTP.Sys.

That's the basic HTTP processor on Windows, and with that, of course, IIS, and everything

else on Windows that pretty much deals with HTTP.

So a commonly exposed component last big vulnerability here,

I remember was the range header from a couple of years back,

and certainly something that's often exposed.

This is a big deal, it's a warmable vulnerability.

It does allow for code execution. It does require no user interaction,

and many versions of Windows are vulnerable by default, in particular more recent versions

like 2022, 20H2 core, and various Windows 10 and Windows 11 versions. The only recent versions of Windows that

are not vulnerable by default is Windows Server 2019 and Windows Server 10 version 1809. These

two versions are vulnerable technically, but the feature,DP trailers is not enabled by default.

So let me elaborate a little bit on what these HEPP trailers are all about.

Most of you are probably familiar with HDP headers that you have at the beginning of a request

or a response, and then you typically have an HDP1.1 at least, an empty line, and then you

follow the response or request body.

...