CVE-2023-24929 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2023-24929?

CVE-2023-24929 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on systems using vulnerable Microsoft PostScript and PCL6 Class Printer Drivers. Attackers can exploit this by sending specially crafted print jobs to affected systems. Organizations using Windows print servers or workstations with these drivers are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on systems using vulnerable Microsoft PostScript and PCL6 Class Printer Drivers. Attackers can exploit this by sending specially crafted print jobs to affected systems. Organizations using Windows print servers or workstations with these drivers are affected.

💻 Affected Systems

Products:

Microsoft PostScript Printer Driver
Microsoft PCL6 Class Printer Driver

Versions: Multiple Windows versions - see Microsoft advisory for specific affected versions

Operating Systems: Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows 10, Windows 11

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with these printer drivers installed are vulnerable. Print servers and workstations with network printing capabilities are at highest risk.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining SYSTEM privileges, enabling lateral movement, data exfiltration, and persistent access to the network.

🟠

Likely Case

Privilege escalation leading to installation of malware, ransomware deployment, or credential theft from compromised systems.

🟢

If Mitigated

Limited impact with proper network segmentation, print server isolation, and least privilege configurations preventing lateral movement.

🌐 Internet-Facing: MEDIUM - Print servers exposed to internet could be directly targeted, but exploitation requires specific print job delivery.

🏢 Internal Only: HIGH - Internal attackers or compromised workstations can exploit this to escalate privileges and move laterally through the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to send print jobs to vulnerable systems. No public exploit code available at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: May 2023 security updates (specific KB numbers vary by Windows version)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24929

Restart Required: Yes

Instructions:

1. Apply May 2023 Windows security updates from Windows Update. 2. For enterprise environments, deploy patches via WSUS, SCCM, or Intune. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable vulnerable printer drivers

windows

Remove or disable Microsoft PostScript and PCL6 Class Printer Drivers from systems

Remove-PrinterDriver -Name "Microsoft PostScript Printer Driver"
Remove-PrinterDriver -Name "Microsoft PCL6 Class Printer Driver"

Restrict print spooler access

windows

Configure firewall rules to restrict access to print spooler service (port 445, 139, 9100)

New-NetFirewallRule -DisplayName "Block Print Spooler" -Direction Inbound -Protocol TCP -LocalPort 445,139,9100 -Action Block

🧯 If You Can't Patch

Isolate print servers in separate network segments with strict firewall rules
Implement network-based intrusion detection for anomalous print job traffic

🔍 How to Verify

Check if Vulnerable:

Check installed printer drivers: Get-PrinterDriver | Select Name, Manufacturer, DriverVersion

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify May 2023 security updates are installed: Get-HotFix | Where-Object {$_.InstalledOn -like "*05/2023*"}

📡 Detection & Monitoring

Log Indicators:

Windows Event ID 307 from PrintService
Unusual print job submissions in PrintService logs
Failed print driver loading events

Network Indicators:

Anomalous SMB traffic to print servers
Unexpected print job submissions from unusual sources
Port 9100 traffic from unauthorized hosts

SIEM Query:

source="Windows" AND (event_id=307 OR "PrintService") AND ("PostScript" OR "PCL6")

📊 Metadata

CVE ID: CVE-2023-24929

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-843

Published: April 11, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24929 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24929 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24929, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 20h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows Server 2012 by Microsoft