CVE-2023-21688

Q: What is the severity of CVE-2023-21688?

CVE-2023-21688 has a CVSS score of 7.8 (HIGH). CVE-2023-21688 is a use-after-free vulnerability in the Windows NT kernel that allows local attackers to escalate privileges from a low-privileged user to SYSTEM level. This affects Windows operating systems where an attacker already has some initial access. The vulnerability requires local access to exploit.

7.8 HIGH

📋 TL;DR

CVE-2023-21688 is a use-after-free vulnerability in the Windows NT kernel that allows local attackers to escalate privileges from a low-privileged user to SYSTEM level. This affects Windows operating systems where an attacker already has some initial access. The vulnerability requires local access to exploit.

💻 Affected Systems

Products:

Windows 10
Windows 11
Windows Server 2016
Windows Server 2019
Windows Server 2022

Versions: Multiple versions prior to January 2023 security updates

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected Windows versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, disabling security controls, and accessing all data on the system.

🟠

Likely Case

Privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass security controls and maintain persistence.

🟢

If Mitigated

Limited impact if proper endpoint protection and least privilege principles are enforced, though still dangerous if exploited.

🌐 Internet-Facing: LOW - Requires local access, cannot be exploited remotely over the internet.

🏢 Internal Only: HIGH - Significant risk in internal environments where attackers have initial foothold or malicious insiders exist.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and some technical knowledge. Proof-of-concept code has been published, making weaponization likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2023 security updates (KB5022282, KB5022286, KB5022297, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21688

Restart Required: Yes

Instructions:

1. Apply January 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after update installation.

🔧 Temporary Workarounds

Restrict local access

windows

Limit local access to systems through physical security and access controls

Enable Windows Defender Exploit Guard

windows

Configure exploit protection to mitigate kernel exploits

Set-ProcessMitigation -System -Enable DEP, ASLR, CFG

🧯 If You Can't Patch

Implement strict least privilege access controls
Deploy endpoint detection and response (EDR) solutions with kernel monitoring

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for January 2023 security updates or run: wmic qfe list | findstr "5022282 5022286 5022297"

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5022282, KB5022286, or KB5022297 is installed in Windows Update history

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with unusual parent processes
Kernel mode driver loading events
Privilege escalation attempts in security logs

Network Indicators:

Not applicable - local exploit only

SIEM Query:

EventID=4688 AND (NewProcessName="*cmd.exe" OR NewProcessName="*powershell.exe") AND ParentProcessName="*lowprivilege*" | stats count by ParentProcessName, NewProcessName

📊 Metadata

CVE ID: CVE-2023-21688

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: February 14, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21688 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21688 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 20h2 by Microsoft

Windows 10 20h2 by Microsoft

Windows 10 20h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local access

Enable Windows Defender Exploit Guard

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities