Remote Code Execution Vulnerability In Windows HTTP Protocol Stack

Remote Code Execution Vulnerability In Windows HTTP Protocol Stack

On March 14, 2023, Microsoft released a security fix for a vulnerability ( CVE-2023-23392 ) in the HTTP/3 protocol stack of Microsoft Windows Server 2022 and Windows 11 systems.

This vulnerability allows a remote attacker to execute arbitrary code. Microsoft expects this vulnerability likely to be exploited soon.

Technical Details

The vulnerability exists in the HTTP/3 protocol stack of current Microsoft Windows systems. An attacker can exploit this vulnerability if the attacked system fulfils some prerequisites:

• HTTP/3 needs to be active, and
• the server uses buffered I/O.

Affected Systems

Microsoft Windows Server 2022, Microsoft Windows 11 (21H2,22H2).

IoC’s

-

Recommended Solution(s)

CERT-EU strongly recommends applying the latest patches for Microsoft Windows Server 2022, focusing on Internet-facing systems first. Additionally, CERT-EU recommends applying the latest patches to systems running Microsoft Windows 11.

Mitigations

HTTP/3 support for services is a new feature in recent Windows operating systems. A prerequisite for a server to be vulnerable is that the binding has HTTP/3 enabled, and the server uses buffered I/O. Therefore, disabling HTTP/3 via a registry key mitigates this vulnerability.

Furthermore, this security vulnerability report as well as its future updates will be posted at the following link on the Barikat Current Security Vulnerability Reports website. https://guvenlikzafiyet.barikat.com.tr/index.html

CVE / CWE

CVE-2023-23392

Related Website(s)

• https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23392
• https://techcommunity.microsoft.com/t5/networking-blog/enabling-http-3-support-on-windows-server-2022/ba-p/2676880

* Vulnerabilities with a CVSS 3.1 score between 7.0 and 8.9 are evaluated to be “high” whereas vulnerabilities with a CVSS 3.1 score between 9.0 and 10.0 are evaluated to be “critical”.