CVE-2023-28241

Q: What is the severity of CVE-2023-28241?

CVE-2023-28241 has a CVSS score of 7.5 (HIGH). This vulnerability in Windows Secure Socket Tunneling Protocol (SSTP) allows attackers to cause a denial of service by sending specially crafted packets. It affects Windows systems with SSTP enabled, potentially causing system crashes or service disruptions. This impacts Windows servers and workstations using SSTP for VPN connections.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in Windows Secure Socket Tunneling Protocol (SSTP) allows attackers to cause a denial of service by sending specially crafted packets. It affects Windows systems with SSTP enabled, potentially causing system crashes or service disruptions. This impacts Windows servers and workstations using SSTP for VPN connections.

💻 Affected Systems

Products:

Windows

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if SSTP is enabled and configured. SSTP is not enabled by default on most Windows installations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash requiring reboot, disrupting VPN connectivity and dependent services

🟠

Likely Case

SSTP service crash disrupting VPN connections until service restart

🟢

If Mitigated

Minimal impact with proper network segmentation and monitoring

🌐 Internet-Facing: MEDIUM - Requires SSTP service exposed to internet, which is less common than other VPN protocols

🏢 Internal Only: LOW - Internal exploitation requires network access and SSTP usage

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires network access to SSTP port (TCP 443).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: April 2023 security updates (KB5025221, KB5025239, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28241

Restart Required: Yes

Instructions:

1. Apply April 2023 Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable SSTP Service

windows

Disable SSTP if not required for VPN connectivity

Set-Service -Name RasMan -StartupType Disabled
Stop-Service -Name RasMan

Block SSTP Port

all

Block TCP port 443 for SSTP at network perimeter

🧯 If You Can't Patch

Implement network segmentation to isolate SSTP servers from untrusted networks
Deploy network monitoring and intrusion detection for SSTP traffic anomalies

🔍 How to Verify

Check if Vulnerable:

Check if SSTP is enabled: Get-WindowsFeature -Name RemoteAccess | Select-Object -ExpandProperty SubFeatures

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify April 2023 security updates are installed: Get-HotFix -Id KB5025221, KB5025239 or check Windows Update history

📡 Detection & Monitoring

Log Indicators:

Event ID 20227 in Windows Event Logs (RAS)
Sudden SSTP service crashes
Multiple failed SSTP connection attempts

Network Indicators:

Unusual SSTP traffic patterns
Multiple malformed SSTP packets
Traffic spikes on SSTP port 443

SIEM Query:

EventID=20227 AND SourceName="RasMan" | stats count by src_ip

📊 Metadata

CVE ID: CVE-2023-28241

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Published: April 11, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28241 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28241 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 20h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows Server 2008 by Microsoft