The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

CVE-2022-21907 | HTTP Protocol Stack Remote Code Execution Vulnerability

Description: This query checks if the registry value (EnableTrailerSupport) is set or not. If this value is set, it is most likely the asset is vulnerable to this critical vulnerability CVE-2022-21907


FROM registry
WHERE key = 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters' AND name = 'EnableTrailerSupport')
END 'CVE-2022-21907_status';

1 Comment
Carbon Black Employee

@ralamer I must admit I found that SANS article a little confusing, so I checked out the MSFT link in the article and it made a lot more sense. In that vulnerability announcement, it states that the registry key in your query is only useful in mitigating this vulnerability in Windows Server 2019 and Windows 10, version 1809. Therefore, other vulnerable versions listed on that page would need to apply patches.

With that said, I think it would be good to modify your query to make it less prone to false negatives. Please let me know if you read things differently or have questions.