CVE-2022-35748 Overview
CVE-2022-35748 is a Denial of Service vulnerability affecting HTTP.sys, a kernel-mode driver that handles HTTP protocol processing in Microsoft Windows Server operating systems. This vulnerability allows remote attackers to cause service disruption without requiring authentication or user interaction, making it particularly dangerous for internet-facing Windows Server deployments.
Critical Impact
Unauthenticated remote attackers can trigger a denial of service condition against Windows Server systems running HTTP.sys, potentially disrupting critical web services and applications.
Affected Products
- Microsoft Windows Server 2012
- Microsoft Windows Server 2012 R2
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022
- Microsoft Windows Server 20H2
Discovery Timeline
- 2023-05-31 - CVE-2022-35748 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-35748
Vulnerability Analysis
HTTP.sys is a fundamental kernel-mode driver in Windows that provides HTTP protocol stack functionality for the operating system. Applications such as Internet Information Services (IIS), Windows Remote Management (WinRM), and various web services rely on HTTP.sys for processing HTTP requests.
The vulnerability exists in how HTTP.sys handles certain malformed or specially crafted HTTP requests. When exploited, this flaw can cause the HTTP.sys driver to enter an unrecoverable state, leading to service disruption. Since HTTP.sys operates at the kernel level, exploitation can affect all applications and services that depend on it for HTTP processing.
The attack can be executed remotely over the network without requiring any privileges or user interaction, significantly lowering the barrier to exploitation. Organizations running Windows Server with HTTP-based services exposed to the internet are at heightened risk.
Root Cause
The root cause of this vulnerability relates to improper handling of specific HTTP request patterns within the HTTP.sys kernel-mode driver. When the driver encounters these malformed requests, it fails to properly validate or handle the input, resulting in a denial of service condition.
Attack Vector
The attack is network-based and can be launched remotely against any Windows Server system with HTTP.sys listening for connections. An attacker would craft and send malicious HTTP requests to the target server's HTTP endpoint. The attack requires no authentication and no user interaction, allowing for potential automation and large-scale exploitation.
The network-based nature of this attack combined with no prerequisites makes it highly exploitable. Organizations should note that this vulnerability has an EPSS probability of 47.414% and ranks at the 97.6th percentile, indicating a high likelihood of exploitation in the wild.
Detection Methods for CVE-2022-35748
Indicators of Compromise
- Unexpected HTTP.sys service crashes or restarts on Windows Server systems
- Unusual patterns of malformed HTTP requests in IIS or HTTP.sys logs
- Service availability alerts for web applications relying on HTTP.sys
- Kernel-level error events in Windows Event Viewer related to HTTP.sys
Detection Strategies
- Monitor Windows Event Logs for HTTP.sys-related errors and crashes (Event IDs in the HTTP Service category)
- Implement network intrusion detection rules to identify malformed HTTP request patterns targeting Windows servers
- Deploy endpoint detection and response (EDR) solutions to monitor for anomalous kernel-mode driver behavior
- Configure web application firewalls (WAF) to detect and block suspicious HTTP request patterns
Monitoring Recommendations
- Enable enhanced logging for HTTP.sys and IIS to capture detailed request information
- Set up alerting for HTTP service availability degradation or unexpected restarts
- Monitor network traffic patterns for unusual HTTP request volumes or characteristics targeting Windows servers
- Implement baseline monitoring for HTTP.sys performance metrics to detect anomalies
How to Mitigate CVE-2022-35748
Immediate Actions Required
- Apply the Microsoft security update for CVE-2022-35748 immediately on all affected Windows Server systems
- Review network perimeter controls to limit exposure of HTTP services to trusted networks where possible
- Ensure web application firewalls are configured with up-to-date rule sets
- Prioritize patching for internet-facing servers running IIS or other HTTP.sys-dependent services
Patch Information
Microsoft has released security updates to address this vulnerability. Administrators should consult the Microsoft Security Response Center advisory for CVE-2022-35748 for specific patch versions and deployment guidance. Apply the appropriate security update based on your Windows Server version through Windows Update, WSUS, or Microsoft Update Catalog.
Workarounds
- Implement network segmentation to limit exposure of vulnerable HTTP services
- Configure firewall rules to restrict HTTP/HTTPS access to only necessary source IP ranges
- Deploy a reverse proxy or load balancer in front of vulnerable servers to provide an additional layer of protection
- Consider temporarily disabling non-essential HTTP-based services until patches can be applied
# Windows Firewall configuration to restrict HTTP access
# Run in elevated PowerShell
# Create inbound rule to allow HTTP only from trusted network
New-NetFirewallRule -DisplayName "Restrict HTTP Access" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 80,443 `
-RemoteAddress "10.0.0.0/8","192.168.0.0/16" `
-Action Allow
# Block HTTP from all other sources
New-NetFirewallRule -DisplayName "Block External HTTP" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 80,443 `
-Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
