CVE-2023-31096 – This vulnerability allows local attackers to es... (How to Fix)

Q: What is the severity of CVE-2023-31096?

CVE-2023-31096 has a CVSS score of 7.8 (HIGH). This vulnerability allows local attackers to escalate privileges from medium-integrity processes to SYSTEM via a stack overflow in the Broadcom LSI PCI-SV92EX Soft Modem Kernel Driver. It affects systems running the vulnerable driver version 2.2.100.1 or earlier. Attackers can use this to bypass security protections like antivirus or PPL (Protected Process Light) in coordinated ransomware campaigns.

📋 TL;DR

This vulnerability allows local attackers to escalate privileges from medium-integrity processes to SYSTEM via a stack overflow in the Broadcom LSI PCI-SV92EX Soft Modem Kernel Driver. It affects systems running the vulnerable driver version 2.2.100.1 or earlier. Attackers can use this to bypass security protections like antivirus or PPL (Protected Process Light) in coordinated ransomware campaigns.

💻 Affected Systems

Products:

Broadcom LSI PCI-SV92EX Soft Modem Kernel Driver (AGRSM64.sys)

Versions: Through version 2.2.100.1

Operating Systems: Windows systems with the vulnerable driver installed

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the vulnerable driver to be installed and loaded. Not all systems will have this specific modem driver.

📦 What is this software?

Lsi Pci Sv92ex Firmware by Broadcom

View all CVEs affecting Lsi Pci Sv92ex Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full SYSTEM compromise enabling ransomware deployment, data exfiltration, persistence establishment, and complete system control bypassing all kernel-level protections.

🟠

Likely Case

Local privilege escalation used in targeted attacks to gain SYSTEM privileges for credential dumping, lateral movement, or disabling security software.

🟢

If Mitigated

Limited impact with proper driver blocklisting, least privilege enforcement, and security monitoring detecting privilege escalation attempts.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access or code execution first.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a system, they can exploit this to gain full control and potentially move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access and medium integrity privileges first. The vulnerability is well-documented with technical analysis available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.broadcom.com

Restart Required: No

Instructions:

Check Broadcom website for updated driver. If unavailable, remove or disable the vulnerable driver using driver blocklisting.

🔧 Temporary Workarounds

Driver Blocklisting

windows

Prevent loading of the vulnerable driver using Windows Driver Block Rules

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Driver Security" /v "DriverBlockRules" /t REG_SZ /d "AGRSM64.sys" /f

Driver Removal

windows

Uninstall the Broadcom LSI PCI-SV92EX Soft Modem driver if not needed

pnputil /remove-device "PCI\VEN_14E4&DEV_16B5&SUBSYS_16B514E4"

🧯 If You Can't Patch

Implement strict least privilege principles to limit initial access opportunities
Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check driver version: Open Device Manager > Modems > Broadcom LSI PCI-SV92EX Soft Modem > Driver tab. Version should be higher than 2.2.100.1.

Check Version:

powershell Get-WmiObject Win32_PnPSignedDriver | Where-Object {$_.DeviceName -like '*PCI-SV92EX*'} | Select-Object DeviceName, DriverVersion

Verify Fix Applied:

Verify driver is not loaded: Run 'sc query AGRSM64' or check Device Manager that driver is not present.

📡 Detection & Monitoring

Log Indicators:

Event ID 7045: Service installation for AGRSM64
Driver load events for AGRSM64.sys
Privilege escalation attempts from medium to SYSTEM integrity

Network Indicators:

Unusual outbound connections following local privilege escalation

SIEM Query:

source="*security*" (EventCode=4672 OR EventCode=4688) AND (NewIntegrityLevel="System" OR SubjectIntegrityLevel="Medium") AND ProcessName="*"

📊 Metadata

CVE ID: CVE-2023-31096

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: October 10, 2023

Last Updated: November 21, 2024

🔗 References

https://cschwarz1.github.io/posts/0x04/ Exploit,Third Party Advisory
https://www.broadcom.com Not Applicable
https://cschwarz1.github.io/posts/0x04/ Exploit,Third Party Advisory
https://www.broadcom.com Not Applicable

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31096, you might also want to check these: