Outranging HTTP.sys Range-Based Attacks, Trigger Style

If you've been watching the news in the tech space this week you've probably seen plenty going on in regards to HTTP.sys. A couple days ago ( April 15) a new CVE (Common Vulnerabilities and Exposures, the widely adopted place to track the bad things people are trying to do when they happen) was filed that depicts a relatively nasty little attack vector targeting Windows IIS systems.

As it turns out, if an attacker sends a specially crafted HTTP request, they are potentially able to execute arbitrary code. Not only that, but they're able to do it with system-level access. The race is on to ensure IIS deployments are patched before this turns nasty. The first step for an attacker that wants to exploit this vulnerability is to identify potentially vulnerable hosts. To do so, there will be scans a plenty flying around in the near future. Heck, they're probably already happening as you're reading this. For full details you can check out the CVE here.

Check it out:
HTTP.sys Attack Detection Those scans are checking for a susceptibility to specific range headers that is apparently a part of the vuln. Full details aren't out, but we know that scanners are sending a range header formatted like "Range: bytes=0-18446744073709551615" and parsing requests to see how systems respond. This will indicate whether or not they're open to this exploit. This means that, while you definitely want to patch your systems first and foremost, you also might want to see who is scanning your network for this particular vuln. Not to mention finding out what it is they're scanning.

Enter ExtraHop and trigger magic. With a super simple (seriously, it's effectively six lines of code, folks) trigger, we're able to collect metrics on anyone scanning your systems for this vulnerability, which systems are being scanned, and keep an eye on overall HTTP request rates to make sure all seems in order. All in one compact, easy to interpret dashboard.

One of the most interesting use cases for this bundle, if you ask me, is to use it to keep an eye on deployments where this vuln scan should theoretically already be stomped out. Lots of people are deploying solutions at their LB tier to stop this kind of thing. Wouldn't it be great to know with 100% confidence that nothing is getting through, being routed around, or somehow not being affected by the solution intended to stop these scans, and subsequent later attacks? Heck, even to just know for sure that your solution is rock solid seems valuable. There's a super easy to install bundle here if you want to kick the tires on this one.

Whether you're using it to police your current solution to stop these scans, or to determine whether you need to take action, hopefully this will let you sleep a little easier at night. As more info about the actual attack becomes available, keep an eye out for updates here that help track the attack itself.

Want to learn to detect and prevent data breaches in real time? See how in our free, interactive Enterprise Edition demo.

Subscribe to our Newsletter

Get the latest from ExtraHop delivered straight to your inbox.