This week, on its Patch Tuesday for March 2023, Microsoft released a patch that addresses a highly critical vulnerability (CVE-2023-23392) in the HTTP Protocol Stack.

About the vulnerability

CVE-2023-23392 details a remote code execution vulnerability that can be used to attack AD FS servers over the internet. An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets and run malicious code on these hosts.

Affected Operating systems and configurations

When HTTP/3 and buffered I/O are enabled on the AD FS Servers and/or Web Application Proxy servers, the hosts are vulnerable. As HTTP/3 was introduced with Windows Server 2022, only Windows Server installations running this Operating System and configured with HTTP/3 are vulnerable.

Note:
HTTP/3 is not enabled by default in Windows Server 2022 and needs to be enabled using the EnableHttp3 registry key, manually.

Common Vulnerability Scoring

This vulnerability's attack complexity is rated low. Microsoft assigned a CVSSv3 score of 9.8/8.5.

Call to action

I urge you to disable HTTP/3 on Windows Server 2022 installations, acting as Active Directory Federation Services (AD FS) servers and Web Application Proxy servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this configuration update to Windows Server 2022 installations, acting as Active Directory Federation Services (AD FS) servers and Web Application Proxy servers, in the production environment.

Disable HTTP/3 using the following lines of Windows PowerShell:

Remove-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\services\HTTP\Parameters\" -Name EnableHttp3 -Force

Restart-Computer

The Windows Server installation will reboot.

Tip!
When HTTP/3 was enabled on Windows Server hosts, determine the source of the configuration change. If it was set through an automated process, you may need to perform additional configuration changes to prevent the registry key from being applied in the future.