ALERT: Vulnerability in Microsoft HTTP.sys allows denial of service and could allow remote code execution (MS15-034)

Thursday, April 16, 2015

This information was sent to U-M IT staff groups on April 16, 2015.

This message is intended for U-M IT staff who are responsible for running, maintaining, or supporting university web servers running Windows.

Summary: 

A vulnerability in Microsoft HTTP.sys allows denial of service and could allow remote code execution if an attacker sends a specially crafted HTTP request to a vulnerable Windows server. Updates are available from Microsoft that should be applied after appropriate testing.

Problem: 

Exploit code currently exists that allows attackers to crash an unpatched server, although code is not yet publicly available that allows an attacker to remotely execute code on an affected machine. There are reports that widespread attempts to crash servers may be occurring.

Affected Systems: 

Machines running the following operating systems are vulnerable if they are used as web servers and run software that uses HTTP.sys to accept HTTP requests.

  • Windows 7 and Windows 8 (including 8.1)
  • Windows Server 2008 R2
  • Windows Server 2012 and 2012 R2

Applications that use HTTP.sys and kernel caching could be vulnerable.

  • Internet Information Service (IIS), commonly used as a web server on Windows servers, is known to be vulnerable.
  • Windows Remote Management (WinRM) and PowerShell Remoting (PSRemoting) use HTTP.sys but do not use kernel caching, and are likely not vulnerable.
Action Items: 
  • Patch affected machines as soon as possible after appropriate testing.
  • Prioritize Windows web servers that are accessible from the internet, especially if they provide critical services or if they store or process sensitive data.
  • Consider disabling IIS kernel caching as a temporary workaround if the security update cannot be applied soon. This workaround is specific to IIS and can cause performance issues. See Enable Kernel Caching (IIS 7) for details.
Threats: 

Publicly available exploit code for this vulnerability allows attackers to crash an unpatched machine, causing denial of service conditions. There are reports that widespread attempts to crash servers may be occurring. Exploit code that allows an attacker to remotely execute code on an unpatched machine has not yet been reported.

Technical Details: 

The HTTP.sys vulnerability can be triggered by sending a specially-crafted HTTP request to an affected system. Successful exploitation of this vulnerability could result in an attacker executing arbitrary code in the context of the System account. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Information for Users: 

A Windows computer running Windows 7 or 8 is only likely to be vulnerable if used as a web server. If your computer is a web server that is running Windows, update it by using Windows Update.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.

Sincerely, 
Don Welch, 
University of Michigan Chief Information Security Officer