CVE-2023-23392: Critical Wormable Flaw Discovered in Windows HTTP/3 Protocol Stack

A high-risk security vulnerability, identified as CVE-2023-23392, has recently been discovered in the HTTP/3 protocol stack of Microsoft Windows Server 2022 and Windows 11 systems. The vulnerability, which carries a CVSS score of 9.8, enables a remote attacker to execute arbitrary code on the affected systems. Microsoft has released a security fix and warns that this vulnerability is likely to be exploited soon.

What is the Vulnerability?

The vulnerability resides in the HTTP/3 protocol stack component of the latest Microsoft Windows systems, allowing a remote attacker to execute arbitrary code on the targeted system. The flaw can be exploited by sending a specially-crafted request to the target system, granting the attacker the ability to execute code at the SYSTEM level without user interaction. This combination renders the bug wormable, at least through systems meeting the target requirements.

Who is Affected?

The vulnerability specifically affects Windows 11 and Windows Server 2022, indicating that it is a newer bug and not a legacy code issue. To be vulnerable, the target system must have HTTP/3 enabled and set to use buffered I/O—a relatively common configuration.

How Can the Vulnerability be Exploited?

To exploit the vulnerability, an attacker must first identify a target system that meets the following prerequisites:

1. HTTP/3 is active, and
2. The server uses buffered I/O.

If the system fulfills these prerequisites, the attacker can then send a specially crafted packet to the system, triggering the vulnerability and potentially gaining unauthorized access.

Recommendations for Protection:

We strongly recommend applying the latest patches for Microsoft Windows Server 2022, with an emphasis on securing Internet-facing systems first. Furthermore, we advise applying the most recent patches to systems running Microsoft Windows 11 to ensure optimal protection. The discovery of the CVE-2023-23392 vulnerability in the HTTP/3 protocol stack of Microsoft Windows Server 2022 and Windows 11 systems underscores the importance of regularly updating and patching systems. With the potential for wormable exploitation, it is crucial for organizations to take immediate action to safeguard their networks and prevent unauthorized access.

Mitigation Strategies:

HTTP/3 support for services is a new feature in recent Windows operating systems. A server is only vulnerable if the binding has HTTP/3 enabled, and the server uses buffered I/O. Consequently, disabling HTTP/3 via a registry key can effectively mitigate this vulnerability.