CVE-2023-32084
📋 TL;DR
CVE-2023-32084 is a denial-of-service vulnerability in HTTP.sys, the Windows HTTP protocol stack. It allows remote attackers to crash affected systems by sending specially crafted HTTP requests, causing service disruption. This affects Windows servers running IIS with HTTP.sys enabled.
💻 Affected Systems
- Windows Server
- Windows
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system crash requiring reboot, leading to extended service downtime and potential data loss for in-memory applications.
Likely Case
IIS service crash causing website/application unavailability until service restart, with potential cascading failures in dependent systems.
If Mitigated
Service interruption limited to affected application pool with automatic recovery if configured, minimal business impact.
🎯 Exploit Status
Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires no authentication and can be triggered remotely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates from June 2023 or later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32084
Restart Required: Yes
Instructions:
1. Apply Windows security updates from June 2023 or later. 2. For Windows Server, install via Windows Update or WSUS. 3. Restart the system to complete installation.
🔧 Temporary Workarounds
Disable HTTP.sys
windowsRemove HTTP.sys from the attack surface by disabling it if not required
sc config http start= disabled
sc stop http
Use alternative web server
windowsSwitch from IIS to alternative web server not using HTTP.sys
🧯 If You Can't Patch
- Implement network segmentation to restrict access to affected servers
- Deploy web application firewall (WAF) with HTTP request filtering and rate limiting
🔍 How to Verify
Check if Vulnerable:
Check Windows version and patch level via 'systeminfo' command. Vulnerable if running affected Windows version without June 2023 security updates.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"Hotfix(s)"Verify Fix Applied:
Verify 'systeminfo' shows June 2023 or later security updates installed and HTTP.sys service is running expected version.📡 Detection & Monitoring
Log Indicators:
- Event ID 1000 from IIS/W3SVC indicating crash
- HTTP.sys error events in System logs
- Unexpected IIS worker process termination
Network Indicators:
- Spike in HTTP requests to server followed by service unavailability
- Unusual HTTP request patterns from single source
SIEM Query:
source="windows" AND (event_id=1000 OR "HTTP.sys" OR "w3wp.exe crash")