CVE-2023-24913

Q: What is the severity of CVE-2023-24913?

CVE-2023-24913 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on systems using Microsoft PostScript and PCL6 Class Printer Drivers. Attackers can exploit this by sending specially crafted print jobs to vulnerable systems. Affected systems include Windows servers and workstations with these printer drivers installed.

8.8 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on systems using Microsoft PostScript and PCL6 Class Printer Drivers. Attackers can exploit this by sending specially crafted print jobs to vulnerable systems. Affected systems include Windows servers and workstations with these printer drivers installed.

💻 Affected Systems

Products:

Microsoft PostScript Printer Driver
Microsoft PCL6 Class Printer Driver

Versions: All versions prior to security updates released in May 2023

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with these printer drivers installed are vulnerable. Print servers and workstations with shared printers are particularly at risk.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Privilege escalation leading to lateral movement within networks, particularly in enterprise environments with shared printers.

🟢

If Mitigated

Limited impact with proper network segmentation and printer server isolation, potentially only affecting the print spooler service.

🌐 Internet-Facing: MEDIUM - Print servers exposed to the internet are vulnerable, but exploitation requires sending print jobs to the vulnerable endpoint.

🏢 Internal Only: HIGH - Internal print servers and workstations with shared printers are common targets for lateral movement in enterprise networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending malicious print jobs to vulnerable systems. No authentication is required if print services are exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security updates released in May 2023 (KB5026372 for Windows 10, KB5026371 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24913

Restart Required: Yes

Instructions:

1. Apply May 2023 security updates from Windows Update. 2. For enterprise environments, deploy updates via WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Disable Print Spooler Service

windows

Disables the Print Spooler service to prevent exploitation via print jobs.

sc config spooler start= disabled
sc stop spooler

Restrict Printer Sharing

windows

Disable printer sharing to prevent remote print job submission.

Set-Printer -Name "*" -Shared $false

🧯 If You Can't Patch

Network segmentation: Isolate print servers from critical systems and restrict access to print services.
Implement strict firewall rules: Block inbound connections to print spooler ports (TCP 9100, 515, 631) from untrusted networks.

🔍 How to Verify

Check if Vulnerable:

Check if May 2023 security updates are installed via 'wmic qfe list' or 'Get-HotFix' in PowerShell.

Check Version:

wmic qfe list | findstr KB5026372

Verify Fix Applied:

Verify security update KB5026372 (or equivalent for your OS) is installed and Print Spooler service is running version 10.0.xxxxx.xxxx or later.

📡 Detection & Monitoring

Log Indicators:

Event ID 4625 failed logins to print spooler
Unusual print job submissions from unexpected sources
Spooler service crashes (Event ID 7031)

Network Indicators:

Unexpected connections to TCP ports 9100, 515, 631
Malformed print job packets to print servers

SIEM Query:

source="windows" event_id=4625 OR event_id=7031 | where process_name="spoolsv.exe"

📊 Metadata

CVE ID: CVE-2023-24913

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: March 14, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24913 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24913 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 20h2 by Microsoft

Windows 10 20h2 by Microsoft

Windows 10 20h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Print Spooler Service

Restrict Printer Sharing

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities