CVE-2023-38171: Microsoft QUIC Denial of Service Vulnerability
Overview
- Severity
- High (CVSS 7.5)
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C
- Category
- Denial of Service
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- More Likely
- Patch Tuesday
- 2023-Oct
- Released
- 2023-10-10
- Last Updated
- 2024-12-10
- EPSS Score
- 8.99% (percentile: 92.6%)
FAQ
Where can I find more information?
Please see the GitHub Advisory relating to this vulnerability here: https://github.com/microsoft/msquic/security/advisories/GHSA-xh5m-8qqp-c5x7#event-111621
Affected Products (12)
Developer Tools
- Microsoft Visual Studio 2022 version 17.2
- Microsoft Visual Studio 2022 version 17.4
- Microsoft Visual Studio 2022 version 17.6
- Microsoft Visual Studio 2022 version 17.7
- .NET 7.0
- PowerShell 7.3
Windows
- Windows Server 2022
- Windows Server 2022 (Server Core installation)
- Windows 11 version 21H2 for x64-based Systems
- Windows 11 version 21H2 for ARM64-based Systems
- Windows 11 Version 22H2 for ARM64-based Systems
- Windows 11 Version 22H2 for x64-based Systems
Security Updates (9)
Acknowledgments
<a href="https://twitter.com/ezrak1e">ziming zhang</a> with Ant Security Light-Year Lab, <a href="https://twitter.com/ezrak1e">ziming zhang</a> with Ant Security Light-Year Lab, <a href="https://twitter.com/ezrak1e">ziming zhang</a> with Ant Security Light-Year Lab
Revision History
- 2023-10-10: Information published.
- 2023-10-26: Revised the Security Updates table to include PowerShell 7.3 because this version of PowerShell 7 is affected by this vulnerability. See https://github.com/PowerShell/Announcements/issues/53 for more information.
- 2024-12-10: To comprehensively address CVE-2023-38171, Microsoft released security updates on October 24, 2023 for all affected versions of .NET and Microsoft Visual Studio.
Microsoft recommends that customers running any of these products install the updates to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.