--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'Remote Code Execution vulnerability in Windows HTTP protocol stack' version: '1.0' number: '2023-020' original_date: 'March 14, 2023' date: 'March 15, 2023' --- _History:_ * _15/03/2023 --- v1.0 -- Initial publication_ # Summary On March 14, 2023, Microsoft released a security fix for a vulnerability (`CVE-2023-23392`) in the HTTP/3 protocol stack of Microsoft Windows Server 2022 and Windows 11 systems [1]. This vulnerability allows a remote attacker to execute arbitrary code. Microsoft expects this vulnerability likely to be exploited soon. # Technical Details The vulnerability exists in the HTTP/3 protocol stack of current Microsoft Windows systems. An attacker can exploit this vulnerability if the attacked system fulfils some prerequisites: * HTTP/3 needs to be active, and * the server uses buffered I/O. If the system fulfils these prerequisites, an attacker can send a specially crafted packet to the system and trigger the vulnerability. # Affected Products Microsoft Windows Server 2022, Microsoft Windows 11 (21H2,22H2). # Recommendations CERT-EU strongly recommends applying the latest patches for Microsoft Windows Server 2022, focusing on Internet-facing systems first. Additionally, CERT-EU recommends applying the latest patches to systems running Microsoft Windows 11. ## Mitigations HTTP/3 support for services is a new feature in recent Windows operating systems. A prerequisite for a server to be vulnerable is that the binding has HTTP/3 enabled, and the server uses buffered I/O. Therefore, disabling HTTP/3 via a registry key mitigates this vulnerability [2]. # References [1] [2]