The HTTP protocol stack remote code execution vulnerability (CVE-2022-21907) lies in the management of HTTP Trailers by the kernel mode driver http.sys. Certain operating systems such as Windows Server 2019 and Windows 10 version 1809 are, by default, not vulnerable and require the activation of the HTTP Trailer Support. In those systems a possible mitigation exists that consists of removing the trailer capability through the Windows registry. In the latest Windows 10 versions such as Windows 10 version 20H2 and newer the only option is to install the latest patch offered in the January MSPT.
Citrix recommends that customers hosting affected web apps follow Microsoft’s recommendations. Citrix Web App Firewall (WAF) customers should also consider the following recommendations to help reduce risk associated with this vulnerability.
Applying the Citrix WAF signature will help protect the customer from trailer-based exploits. The issue resides in the http.sys driver, which is a component not only used by IIS but also by other software such as WSDAPI (Web Services for Devices) that could be exposed to the issue. Processes using http.sys can be found using the command ‘netsh http show servicestate’. For Windows Server 2019 and Windows 10 version 1809, a PowerShell command that validates trailer support is not activated.
‘Get-ItemProperty “HKLM:\System\CurrentControlSet\Services\HTTP\Parameters” | Select-Object EnableTrailerSuppor’.
Citrix’s research team has released updated Citrix WAF signatures designed to mitigate, in part, the CVE-2022-21907 vulnerability. If you are using any of the affected windows operating systems, Citrix strongly recommends that you download the signatures version 84 and apply it to your Citrix WAF deployments as an additional layer of protection for your applications. Signatures are compatible with Citrix ADC 11.1, 12.0, 12.1, 13.0, and 13.1. Please note, versions 11.1 and 12.0 are at end of life. Learn more about the release lifecycle.
| Signature rule | CVE ID | Description |
| 998998 | CVE-2022-21907 | WEB-MISC Microsoft HTTP Protocol Stack – Remote Code Execution Vulnerability (CVE-2022-21907) |
If you are already using Citrix WAF with signatures with the auto-update feature enabled, follow these steps after verifying that the signature version is at least version 84.
- Search your signatures for CVE-2022-21907 LogString
- Select the results with ID 998998
- Choose “Enable Rules” and click OK
Citrix recommends that Citrix WAF customers use the latest signature version, enable signatures auto-update, and subscribe to receive signature alert notifications. Citrix will continue to monitor this dynamic situation and provide updates as new mitigations become available.
If app availability is inadvertently affected due to false positives resulting from the above mitigation policies, Citrix recommends the following modifications to the policy. Please note that any endpoint covered by the exception_list may expose those assets to risks from CVE-2022-21907.
Modifications to WAF Policy
add policy patset exception_list
# (Example: bind policy patset exception_list “/exception_url”)
Prepend the existing WAF policy with HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT
# (Example : set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^
Additional Information
Citrix WAF has a single code base across physical, virtual, bare-metal, and containers. This signature update applies to all form factors and deployment models of Citrix WAF.
Learn more about Citrix Web App Firewall, check out our alert articles and bot signature articles to learn more about Citrix Web App Firewall signatures, and find out how you can receive signature alert notifications.
Patches and Mitigations
Citrix strongly recommends that customers apply patches (from Microsoft and/or other vendors) as soon as they are made available. Until a patch is made available, you may reduce the risk of a successful attack by applying mitigations. Mitigations should not be considered full solutions as they do not fully address the underlying issue(s).
