CVE-2023-35350 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2023-35350?

CVE-2023-35350 has a CVSS score of 7.2 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on Windows Active Directory Certificate Services (AD CS) servers by sending specially crafted requests. It affects organizations running AD CS on Windows Server systems. Successful exploitation could lead to complete system compromise.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Windows Active Directory Certificate Services (AD CS) servers by sending specially crafted requests. It affects organizations running AD CS on Windows Server systems. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

Windows Server

Versions: Windows Server 2012 R2, 2016, 2019, 2022

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with Active Directory Certificate Services role installed and configured.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full domain compromise via AD CS server takeover, enabling lateral movement, credential theft, and persistence across the entire Active Directory environment.

🟠

Likely Case

Compromise of the AD CS server leading to certificate authority manipulation, allowing attackers to issue fraudulent certificates for authentication bypass and privilege escalation.

🟢

If Mitigated

Limited impact with proper network segmentation, certificate authority monitoring, and restricted administrative access preventing lateral movement.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires network access to AD CS server and specific conditions for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2023 security updates

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35350

Restart Required: Yes

Instructions:

1. Apply July 2023 Windows Server security updates via Windows Update. 2. Restart affected servers. 3. Verify patch installation via Windows Update history.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to AD CS servers to only necessary clients and services.

Certificate Authority Monitoring

windows

Enable detailed auditing of certificate issuance and CA operations.

auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable

🧯 If You Can't Patch

Implement strict network access controls to isolate AD CS servers
Enable enhanced certificate authority auditing and monitor for suspicious certificate requests

🔍 How to Verify

Check if Vulnerable:

Check if AD CS role is installed and July 2023 security updates are not applied.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify July 2023 security updates are installed via Windows Update history or Get-HotFix PowerShell command.

📡 Detection & Monitoring

Log Indicators:

Unusual certificate requests in AD CS logs
Failed authentication attempts to AD CS services
Unexpected process creation on AD CS servers

Network Indicators:

Unusual network traffic patterns to AD CS servers
Certificate requests from unexpected sources

SIEM Query:

source="ADCS" AND (event_id=4886 OR event_id=4887) AND certificate_request_count > threshold

📊 Metadata

CVE ID: CVE-2023-35350

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: July 11, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35350 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35350 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35350, you might also want to check these: