CVE-2023-23410 – This vulnerability in Windows HTTP.sys allows a... (How to Fix)

Q: What is the severity of CVE-2023-23410?

CVE-2023-23410 has a CVSS score of 7.8 (HIGH). This vulnerability in Windows HTTP.sys allows an attacker to gain elevated privileges on affected systems by exploiting an integer overflow condition. It affects Windows servers and workstations running vulnerable versions of the HTTP.sys driver. Successful exploitation could lead to system compromise.

📋 TL;DR

This vulnerability in Windows HTTP.sys allows an attacker to gain elevated privileges on affected systems by exploiting an integer overflow condition. It affects Windows servers and workstations running vulnerable versions of the HTTP.sys driver. Successful exploitation could lead to system compromise.

💻 Affected Systems

Products:

Windows Server
Windows Client

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Systems using HTTP.sys for web services (IIS, HTTP API) are vulnerable. The vulnerability exists in the core HTTP.sys driver component.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with SYSTEM privileges, enabling installation of malware, data theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to execute arbitrary code with elevated privileges on compromised systems.

🟢

If Mitigated

Limited impact due to network segmentation, least privilege principles, and proper patch management preventing successful exploitation.

🌐 Internet-Facing: MEDIUM - While HTTP.sys handles web traffic, exploitation typically requires local access or ability to execute code on the target system first.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a vulnerable system, they can escalate privileges and move laterally within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access to execute code initially. The vulnerability involves integer overflow (CWE-190) in HTTP.sys driver.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: March 2023 security updates (KB5023696, KB5023697, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23410

Restart Required: Yes

Instructions:

1. Apply March 2023 Windows security updates from Windows Update. 2. For enterprise environments, deploy updates via WSUS, SCCM, or Intune. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Disable HTTP.sys if not needed

windows

Remove or disable HTTP.sys driver if web services are not required

sc config http start= disabled
sc stop http

Network segmentation

all

Isolate vulnerable systems from critical assets and limit lateral movement

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems
Apply principle of least privilege and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and compare with affected versions list. Systems without March 2023 security updates are vulnerable.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify March 2023 security updates are installed via 'winver' or 'systeminfo' command

📡 Detection & Monitoring

Log Indicators:

Event ID 4624 (logon) with elevated privileges from unusual processes
Security log entries showing privilege escalation

Network Indicators:

Unusual outbound connections from systems after local compromise

SIEM Query:

EventID=4624 AND (NewElevatedToken="%%1842" OR TokenElevationType="%%1938") | stats count by Computer, ProcessName

📊 Metadata

CVE ID: CVE-2023-23410

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: March 14, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23410 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23410 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-23410, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 20h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable HTTP.sys if not needed

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities