First published: Tue Oct 10 2023(Updated: )
### Impact The MsQuic server application or process will crash, resulting in a denial of service. ### Patches The following patch was made: - Don't Allow Version Negotiation Packets for Server Connections - https://github.com/microsoft/msquic/commit/3226cff07d22662f16fc98d605656860e64cd343 ### Workarounds Beyond upgrading to the patched versions, there is no other workaround. You must upgrade or disable MsQuic functionality.
Credit: secure@microsoft.com secure@microsoft.com secure@microsoft.com
Affected Software | Affected Version | How to fix |
---|---|---|
Microsoft PowerShell 7.3 | ||
Microsoft Windows Server 2022 | ||
Microsoft Windows Server 2022 | ||
Microsoft Windows 11 | =22H2 | |
Microsoft Windows 11 | =21H2 | |
Microsoft Windows 11 | =22H2 | |
Microsoft Windows 11 | =21H2 | |
Microsoft Visual Studio 2022 | =17.6 | |
Microsoft Visual Studio 2022 | =17.2 | |
Microsoft Visual Studio 2022 | =17.7 | |
Microsoft .NET 7.0 | ||
Microsoft .NET | >=7.0.0<7.0.12 | |
Microsoft Visual Studio 2022 | >=17.2.0<17.2.20 | |
Microsoft Visual Studio 2022 | >=17.4.0<17.4.12 | |
Microsoft Visual Studio 2022 | >=17.6.0<17.6.8 | |
Microsoft Visual Studio 2022 | >=17.7.0<17.7.5 | |
Microsoft Windows 11 22h2 | <10.0.22621.2428 | |
Microsoft Windows Server 2022 | ||
nuget/Microsoft.Native.Quic.MsQuic.OpenSSL | <2.2.3 | 2.2.3 |
nuget/Microsoft.Native.Quic.MsQuic.Schannel | <2.2.3 | 2.2.3 |
Microsoft .NET 7.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-38171 is a Microsoft QUIC Denial of Service vulnerability that can cause the MsQuic server to crash, resulting in a denial of service.
CVE-2023-38171 has a severity rating of 7.5, which is considered high.
Software products affected by CVE-2023-38171 include Microsoft .NET 7.0, Visual Studio 2022 (versions 17.6 and 17.7), Windows Server 2022 (Server Core Installation), Visual Studio 2022 (version 17.2), and Windows 11 (versions 22H2 and 21H2).
You can apply the necessary patches for CVE-2023-38171 by following the provided URLs for each affected software product: Microsoft .NET 7.0 (https://dotnet.microsoft.com/download/dotnet/7.0), Visual Studio 2022 (version 17.6 - https://my.visualstudio.com/Downloads?q=Visual Studio 2022 version 17.6, version 17.7 - https://my.visualstudio.com/Downloads?q=Visual Studio 2022 version 17.7), and Windows Server 2022 (https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5031364 for Server Core Installation).
The Common Weakness Enumeration (CWE) for CVE-2023-38171 is CWE-400.