CVE CyberSecurity Database News

CVE-2023-36435 - Deep Dive Into Microsoft QUIC Denial of Service Vulnerability

Poster -

---

In June 2023, Microsoft patched a critical vulnerability (CVE-2023-36435) related to its implementation of the QUIC protocol. This flaw, if exploited, could let attackers crash Microsoft servers using QUIC, causing a Denial of Service (DoS). In this post, we’ll break down what QUIC is, how this vulnerability works, and how attackers could use it—with code snippets and links to important references.

What is QUIC?

QUIC (Quick UDP Internet Connections) is a transport layer protocol developed by Google and now standardized by IETF. Unlike TCP, QUIC works over UDP and is designed for faster, more secure web traffic. Many modern services—including Microsoft Edge, Windows Server, and IIS—support QUIC.

Where’s the Flaw?

CVE-2023-36435 is a DoS vulnerability. It exists because Microsoft QUIC implementations in Windows don’t correctly validate certain network packets. Specifically, a remote attacker could send a sequence of malformed QUIC packets that trigger a crash in the process handling QUIC connections.

When Windows servers process these invalid packets, the service may terminate unexpectedly—leaving users without access until a manual restart.

- Official MSRC write-up: CVE-2023-36435 - Microsoft QUIC Denial of Service Vulnerability
- Microsoft advisory: June 2023 Security Updates

Microsoft lists the following as at risk

- Windows Server 2019/2022
- Windows 10/11 (if using QUIC-enabled services or apps)
- Any service/app using the Microsoft MsQuic library
See affected products in the official bulletin.

1. Attacker Finds a QUIC Service

First, the attacker scans for open UDP/443 endpoints (common for QUIC/TLS).

2. Crafting Malformed QUIC Packets

By sending specially crafted packets—sometimes with unexpected frames or invalid length fields—an attacker can trigger the flaw. Libraries like quicly and MsQuic can help for research and testing.

Here’s a Python proof of concept using scapy

import socket

# Replace with target QUIC service IP and port
target_ip = '192.168.1.100'
target_port = 443  # QUIC often on 443/UDP

# Malformed QUIC packet (random or specially crafted bytes)
malformed_packet = b"\x00" * 500  # Minimal example

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.sendto(malformed_packet, (target_ip, target_port))
print("Sent malformed packet")

> *Note: Crafted packets for real exploits are much more complex.*

Corrupted headers

For more targeted fuzzing, check out AFLnet, which specializes in network protocol fuzzing.

If the service auto restarts, repeated abuse could lead to extended downtime

On high-availability webservers or critical Windows infrastructure, this could mean serious outages.

Microsoft’s Fix

Microsoft fixed this bug by improving input validation in MsQuic. Make sure to install all June 2023 cumulative updates (or later).

- KB5027238 for Server 2022
- KB5027231 for Windows 11

Check your Windows Update history or run

Get-HotFix | Where-Object {$_.HotFixID -like "KB5027*"}

Additional References

- QUIC RFC 900
- QUIC adoption and performance
- Microsoft MsQuic GitHub

Patch all Windows servers and workstations with June 2023 Security Updates or later

- Use firewalls to restrict unnecessary UDP/443 exposure

Summary

CVE-2023-36435 is a denial of service flaw in Microsoft’s QUIC protocol processing code. It can let attackers remotely crash Windows services running MsQuic. The fix is to update your systems. If you run critical infrastructure with QUIC enabled, patch urgently and monitor your network for odd UDP/443 behavior.

Stay safe, patch early, and keep your eye on service exposures!

Timeline

Published on: 10/10/2023 18:15:12 UTC
Last modified on: 10/12/2023 17:50:44 UTC