{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-020.pdf"
    },
    "title": "Remote Code Execution vulnerability in Windows HTTP protocol stack",
    "serial_number": "2023-020",
    "publish_date": "15-03-2023 10:30:00",
    "description": "On March 14, 2023, Microsoft released a security fix for a vulnerability (CVE-2023-23392) in the HTTP/3 protocol stack of Microsoft Windows Server 2022 and Windows 11 systems. This vulnerability allows a remote attacker to execute arbitrary code. Microsoft expects this vulnerability likely to be exploited soon.",
    "url_title": "2023-020",
    "content_markdown": "--- \ntitle: 'Remote Code Execution vulnerability in Windows HTTP protocol stack'\nversion: '1.0'\nnumber: '2023-020'\noriginal_date: 'March 14, 2023'\ndate: 'March 15, 2023'\n---\n\n_History:_\n\n* _15/03/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn March 14, 2023, Microsoft released a security fix for a vulnerability (`CVE-2023-23392`) in the HTTP/3 protocol stack of Microsoft Windows Server 2022 and Windows 11 systems [1]. This vulnerability allows a remote attacker to execute arbitrary code. Microsoft expects this vulnerability likely to be exploited soon.\n\n# Technical Details\n\nThe vulnerability exists in the HTTP/3 protocol stack of current Microsoft Windows systems. An attacker can exploit this vulnerability if the attacked system fulfils some prerequisites:\n\n* HTTP/3 needs to be active, and\n* the server uses buffered I/O.\n\nIf the system fulfils these prerequisites, an attacker can send a specially crafted packet to the system and trigger the vulnerability.\n\n# Affected Products\n\nMicrosoft Windows Server 2022, Microsoft Windows 11 (21H2,22H2).\n\n# Recommendations\n\nCERT-EU strongly recommends applying the latest patches for Microsoft Windows Server 2022, focusing on Internet-facing systems first. Additionally, CERT-EU recommends applying the latest patches to systems running Microsoft Windows 11.\n\n## Mitigations\n\nHTTP/3 support for services is a new feature in recent Windows operating systems. A prerequisite for a server to be vulnerable is that the binding has HTTP/3 enabled, and the server uses buffered I/O. Therefore, disabling HTTP/3 via a registry key mitigates this vulnerability [2].\n\n# References\n\n[1] <https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23392>\n\n[2] <https://techcommunity.microsoft.com/t5/networking-blog/enabling-http-3-support-on-windows-server-2022/ba-p/2676880>",
    "content_html": "<p><em>History:</em></p><ul><li><em>15/03/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On March 14, 2023, Microsoft released a security fix for a vulnerability (<code>CVE-2023-23392</code>) in the HTTP/3 protocol stack of Microsoft Windows Server 2022 and Windows 11 systems [1]. This vulnerability allows a remote attacker to execute arbitrary code. Microsoft expects this vulnerability likely to be exploited soon.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability exists in the HTTP/3 protocol stack of current Microsoft Windows systems. An attacker can exploit this vulnerability if the attacked system fulfils some prerequisites:</p><ul><li>HTTP/3 needs to be active, and</li><li>the server uses buffered I/O.</li></ul><p>If the system fulfils these prerequisites, an attacker can send a specially crafted packet to the system and trigger the vulnerability.</p><h2 id=\"affected-products\">Affected Products</h2><p>Microsoft Windows Server 2022, Microsoft Windows 11 (21H2,22H2).</p><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU strongly recommends applying the latest patches for Microsoft Windows Server 2022, focusing on Internet-facing systems first. Additionally, CERT-EU recommends applying the latest patches to systems running Microsoft Windows 11.</p><h3 id=\"mitigations\">Mitigations</h3><p>HTTP/3 support for services is a new feature in recent Windows operating systems. A prerequisite for a server to be vulnerable is that the binding has HTTP/3 enabled, and the server uses buffered I/O. Therefore, disabling HTTP/3 via a registry key mitigates this vulnerability [2].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23392\">https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-23392</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://techcommunity.microsoft.com/t5/networking-blog/enabling-http-3-support-on-windows-server-2022/ba-p/2676880\">https://techcommunity.microsoft.com/t5/networking-blog/enabling-http-3-support-on-windows-server-2022/ba-p/2676880</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}