logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

CVE-2022-21907 | HTTP Protocol Stack Remote Code Execution Vulnerability

Status: Under Review Submitted by on ‎01-14-2022 05:55 PM

Description: This query checks if the registry value (EnableTrailerSupport) is set or not. If this value is set, it is most likely the asset is vulnerable to this critical vulnerability CVE-2022-21907

Ref: https://isc.sans.edu/diary/rss/28234

SELECT
CASE
WHEN EXISTS (SELECT *
FROM registry
WHERE key = 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters' AND name = 'EnableTrailerSupport')
THEN 'VULNERABLE'
ELSE 'NOT_VULNERABLE'
END 'CVE-2022-21907_status';

Comment
1 Comment
jnelson
Carbon Black Employee
‎01-18-2022 10:05 AM
‎01-18-2022 10:05 AM

@ralamer I must admit I found that SANS article a little confusing, so I checked out the MSFT link in the article and it made a lot more sense. In that vulnerability announcement, it states that the registry key in your query is only useful in mitigating this vulnerability in Windows Server 2019 and Windows 10, version 1809. Therefore, other vulnerable versions listed on that page would need to apply patches.

With that said, I think it would be good to modify your query to make it less prone to false negatives. Please let me know if you read things differently or have questions.

logo