CVE CyberSecurity Database News

CVE-2022-38113 - Exposing Build and Service Versions via Server Response Headers

Poster -

The vulnerability identified as CVE-2022-38113 might sound less dramatic than those with remote code execution, but it can still bring dark clouds to your organization’s security. CVE-2022-38113 involves sensitive information disclosure—specifically, it can reveal the exact build and service versions your server is running via HTTP response headers. This makes it easy for attackers to plan targeted attacks against known vulnerabilities.

In this article, we’ll take a close look at CVE-2022-38113, show sample codes to demonstrate the vulnerability, provide proof-of-concept, and share links to the original references. Let’s keep it straight and simple.

What Exactly is CVE-2022-38113?

CVE-2022-38113 is an information disclosure vulnerability that affects certain Microsoft products (notably Microsoft Office Web Apps Server and Microsoft SharePoint). When a user, tool, or attacker makes a request to a vulnerable server, the HTTP response includes headers that directly expose the build and service version numbers. Here’s why this is risky:

How Does the Vulnerability Work?

When your server responds to an HTTP request, it sends information in headers. With CVE-2022-38113, some products send headers like X-FEServer, X-Powered-By, or even custom headers containing their explicit version numbers.

Here’s a simplified visualization

HTTP/1.1 200 OK
Date: Thu, 13 Jun 2024 11:00:00 GMT
X-FEServer: APPSERVER1
X-Powered-By: Microsoft-IIS/10.
Server: Microsoft-IIS/10.
X-OWA-Version: 16..1234.5678
X-Application-Version: 16..1234.5678
Content-Type: text/html; charset=utf-8
...

Notice the X-OWA-Version and X-Application-Version? They expose the exact version and build number.

Why Does This Matter?

Let’s say your server is running an outdated version of SharePoint that has critical vulnerabilities patched in more recent builds. An attacker runs a simple automated scan and gets:

X-OWA-Version: 16..1234.5678

They look up public vulnerability reports and exploit databases, match that version, and—voila!—they know exactly how to attack your server.

Proof Of Concept (PoC): See It in Action

You don’t need fancy tools. Even curl or your browser’s dev tools can display these leaking headers.

Open your terminal and run

curl -I https://vulnerable-server.example.com/

Example Output

HTTP/1.1 200 OK
X-Powered-By: ASP.NET
X-OWA-Version: 16..1234.5678
X-FEServer: APPSERVER1
Server: Microsoft-IIS/10.
Date: Thu, 13 Jun 2024 11:05:00 GMT
Content-Type: text/html; charset=utf-8

If you see headers like X-OWA-Version or X-Application-Version, your server is disclosing too much information.

Exploit Details

This vulnerability does not allow direct system access or code execution. The risk lies in information disclosure, which attackers leverage in the following way:

Here’s a snippet in Python using requests to pull headers

import requests

url = "https://vulnerable-server.example.com/"
response = requests.get(url)
for header in ["X-OWA-Version", "X-Application-Version", "Server", "X-FEServer"]:
    if header in response.headers:
        print(f"{header}: {response.headers[header]}")

How to Fix or Mitigate

1. Update all servers to the latest, patched versions. Microsoft addressed CVE-2022-38113 in their security update (see references below).

Configure your web server to suppress or sanitize response headers.

For IIS, edit your web.config or use URL Rewrite/Outbound Rules to remove sensitive headers.

Example: Remove response header in IIS

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <remove name="X-Powered-By" />
      <remove name="X-OWA-Version" />
      <remove name="X-Application-Version" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

References

- Microsoft Security Response Center – CVE-2022-38113
- NIST NVD entry on CVE-2022-38113
- Original Patch Announcement

Final Thoughts

While CVE-2022-38113 isn’t as flashy as a full-blown exploit, information disclosure is a crucial piece in an attacker’s playbook. Keeping your servers quiet about their internals makes you a less easy, less interesting target.

Stay up to date. Review your server headers. Remove what you can. Make life harder for attackers.

For more best practices and news like this, stay tuned!

Timeline

Published on: 11/23/2022 17:15:00 UTC
Last modified on: 08/03/2023 18:15:00 UTC