CVE-2023-35297 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2023-35297?

CVE-2023-35297 has a CVSS score of 8.1 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on affected Windows systems by sending specially crafted PGM (Pragmatic General Multicast) protocol packets. It affects Windows systems with the PGM feature enabled, primarily servers using Windows Server editions. Attackers can exploit this without authentication to gain SYSTEM-level privileges.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on affected Windows systems by sending specially crafted PGM (Pragmatic General Multicast) protocol packets. It affects Windows systems with the PGM feature enabled, primarily servers using Windows Server editions. Attackers can exploit this without authentication to gain SYSTEM-level privileges.

💻 Affected Systems

Products:

Windows Server
Windows Client

Versions: Windows Server 2008 through Windows Server 2022, Windows 10, Windows 11

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: PGM is not enabled by default on most Windows systems. Primarily affects systems where PGM protocol is explicitly enabled for applications like messaging systems or specific multicast applications.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges leading to data theft, ransomware deployment, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to initial foothold in enterprise networks, credential harvesting, and deployment of additional malware payloads.

🟢

If Mitigated

Blocked exploitation attempts with no impact due to proper network segmentation, disabled PGM, or patched systems.

🌐 Internet-Facing: HIGH - PGM traffic can traverse networks and internet-facing systems with PGM enabled are directly exploitable.

🏢 Internal Only: MEDIUM - Requires attacker to have network access to vulnerable systems, but internal systems with PGM enabled remain at risk.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specially crafted PGM packets to vulnerable systems. No authentication needed, but attacker must reach systems with PGM enabled.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2023 security updates (KB5028166 for Windows 11, KB5028168 for Windows 10, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35297

Restart Required: Yes

Instructions:

1. Apply July 2023 Windows security updates via Windows Update. 2. For enterprise: Deploy updates through WSUS, SCCM, or Intune. 3. Verify installation via winver or systeminfo. 4. Restart systems as required.

🔧 Temporary Workarounds

Disable PGM Protocol

windows

Disables the Pragmatic General Multicast protocol to prevent exploitation.

netsh int ipv4 set global multicastforwarding=disabled
netsh int ipv6 set global multicastforwarding=disabled

Block PGM Ports

all

Block PGM traffic at network perimeter and internal segmentation.

Firewall rule: Block UDP port 3010-3012 (PGM standard ports)

🧯 If You Can't Patch

Disable PGM protocol on all affected systems using netsh commands.
Implement network segmentation to isolate systems with PGM enabled and block PGM traffic at firewalls.

🔍 How to Verify

Check if Vulnerable:

Check if PGM is enabled: netsh int ipv4 show global | findstr multicastforwarding

Check Version:

winver or systeminfo

Verify Fix Applied:

Verify July 2023 security updates are installed: systeminfo | findstr "KB502816"

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4688 (process creation) from unexpected PGM-related processes
Application crashes related to mswsock.dll or ws2_32.dll

Network Indicators:

Unusual PGM traffic patterns, especially to UDP ports 3010-3012
PGM packets with malformed headers or unexpected payloads

SIEM Query:

EventID=4688 AND (ProcessName="cmd.exe" OR ProcessName="powershell.exe") AND ParentProcessName contains "pgm"

📊 Metadata

CVE ID: CVE-2023-35297

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-843

Published: July 11, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35297 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35297 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35297, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows Server 2008 by Microsoft