Researcher publishes PoC for CVE-2021-31166 vulnerability in Microsoft IIS

Axel Souchet, a security researcher who used to work for Microsoft, revealed the Proof of Concept (PoC) exploit code to abuse a critical Windows IIS server vulnerability. The vulnerability, tracked as CVE-2021-31166, was discovered by Microsoft security teams and fixed in early May 2021.

The flaw received a score of 9.8/10 on the Common Vulnerability Scoring System (CVSS) scale and was described as a memory corruption flaw in the HTTP protocol stack included in the latest versions of the Windows system.

The stack is used by the built-in Windows IIS server; if this server is enabled, Microsoft notes that threat actors could send a formatted package incorrectly and run malicious code directly in the operating system kernel. The company’s report mentions that the flaw could be used to create network worms that jump from one server to another and recommended prioritizing patching of affected servers.

Microsoft researchers also released some factors that limit the risk of exploitation; to get started, only newer versions of Windows are affected by this flaw. Impacted versions include Windows 10 2004 and 20H2, plus Windows Server 2004 and 20H2, released over the past twelve months.

Last weekend, Souchet published the PoC for the exploitation of the flaw. This code does not include worming capabilities, as it only locks the impacted Windows system as long as the windows system is running an IIS server.

Publishing a PoC code is often the first step for threat actors to try to exploit the vulnerability, even if the number of vulnerable Windows IIS servers is small or undetermined. The company prompts users of affected deployments to update as soon as the exploit risk is latent and there may still be many administrators who have not upgraded to a secure version.

This is not the only similar risk Microsoft has dealt with; In June 2019, a threat actor exploited an Exim vulnerability to create a worm that spread across the company’s Linux-based Azure cloud servers. While Microsoft has most likely patched IIS servers in your Azure infrastructure, there are still other cloud providers and corporate networks where the flaw could currently be exploited.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.