CVE-2023-35313 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2023-35313?

CVE-2023-35313 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote code execution through the Windows Online Certificate Status Protocol (OCSP) SnapIn component. Attackers can exploit this to execute arbitrary code with SYSTEM privileges on affected systems. This affects Windows systems with the vulnerable OCSP SnapIn component.

📋 TL;DR

This vulnerability allows remote code execution through the Windows Online Certificate Status Protocol (OCSP) SnapIn component. Attackers can exploit this to execute arbitrary code with SYSTEM privileges on affected systems. This affects Windows systems with the vulnerable OCSP SnapIn component.

💻 Affected Systems

Products:

Windows Server
Windows Client

Versions: Multiple Windows versions - see Microsoft advisory for specific affected versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with OCSP SnapIn enabled are vulnerable. The component may be present by default in certain Windows configurations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling complete control over the affected system, data theft, lateral movement, and persistence establishment.

🟠

Likely Case

Remote code execution leading to malware deployment, credential harvesting, or ransomware installation on vulnerable systems.

🟢

If Mitigated

Limited impact due to network segmentation, proper patch management, and restricted administrative access preventing successful exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires specific conditions to be met for successful exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the latest Windows security updates from Microsoft

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35313

Restart Required: Yes

Instructions:

1. Apply the latest Windows security updates from Microsoft. 2. Restart affected systems. 3. Verify the patch is applied successfully.

🔧 Temporary Workarounds

Disable OCSP SnapIn

windows

Disable the vulnerable OCSP SnapIn component if not required

Disable via Windows Features or Group Policy

Network Segmentation

all

Restrict network access to systems running OCSP services

🧯 If You Can't Patch

Implement strict network segmentation to isolate vulnerable systems
Apply principle of least privilege and restrict administrative access

🔍 How to Verify

Check if Vulnerable:

Check if OCSP SnapIn is enabled and verify Windows version against affected versions list

Check Version:

wmic os get version

Verify Fix Applied:

Verify Windows Update history shows the security patch applied and system version is updated

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from OCSP-related services
Failed authentication attempts to OCSP services
Abnormal network connections to OCSP ports

Network Indicators:

Suspicious traffic to OCSP service ports
Unusual certificate validation requests

SIEM Query:

Process creation where parent process contains 'ocsp' OR network traffic to port 80/443 with destination containing certificate validation patterns

📊 Metadata

CVE ID: CVE-2023-35313

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: July 11, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35313 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35313 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35313, you might also want to check these: