CVE-2023-24867
📋 TL;DR
This vulnerability allows remote code execution through Microsoft PostScript and PCL6 printer drivers. An attacker could exploit this by sending specially crafted documents to a vulnerable print server or client. Organizations using affected Windows systems with these printer drivers are at risk.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise allowing attacker to execute arbitrary code with SYSTEM privileges, install malware, steal data, or pivot to other systems.
Likely Case
Privilege escalation leading to lateral movement within the network, data exfiltration, or ransomware deployment.
If Mitigated
Limited impact with proper network segmentation, restricted printer access, and updated systems.
🎯 Exploit Status
Exploitation requires sending malicious print jobs to vulnerable systems. No public proof-of-concept available as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: March 2023 security updates
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24867
Restart Required: Yes
Instructions:
1. Apply March 2023 Windows security updates via Windows Update. 2. For enterprise: Deploy updates through WSUS, SCCM, or Intune. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable vulnerable printer drivers
windowsRemove or disable PostScript and PCL6 printer drivers if not required
Remove-PrinterDriver -Name "Microsoft enhanced Point and Print compatibility driver"
Remove-PrinterDriver -Name "Microsoft enhanced Point and Print compatibility driver" for PCL6
Restrict print spooler access
windowsLimit network access to print spooler service
netsh advfirewall firewall add rule name="Block Print Spooler" dir=in action=block protocol=TCP localport=135,445,9100
🧯 If You Can't Patch
- Implement network segmentation to isolate print servers from critical systems
- Disable unnecessary printer drivers and restrict print job submission to trusted users only
🔍 How to Verify
Check if Vulnerable:
Check if March 2023 security updates are installed via 'systeminfo' command or Windows Update historyCheck Version:
wmic qfe list | findstr KB5023696 or Get-Hotfix -Id KB5023696Verify Fix Applied:
Verify KB5023696 (or later) is installed for Windows 10/11, or KB5023702 for Server 2019/2022📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 307 in PrintService logs
- Unexpected print spooler crashes
- Suspicious print job submissions
Network Indicators:
- Unusual traffic to print spooler ports (135, 445, 9100)
- Malformed print job packets
SIEM Query:
source="Windows" AND (event_id=307 OR process_name="spoolsv.exe") AND (keywords="Warning" OR keywords="Error")