CVE-2023-35356
📋 TL;DR
CVE-2023-35356 is a Windows kernel elevation of privilege vulnerability that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. It affects Windows operating systems and can lead to complete system compromise. Attackers must have valid credentials and local access to exploit this vulnerability.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with SYSTEM privileges, enabling installation of malware, data theft, lateral movement, and persistence mechanisms.
Likely Case
Privilege escalation from standard user to SYSTEM, allowing attackers to bypass security controls, install backdoors, and access sensitive system resources.
If Mitigated
Limited impact with proper patch management, least privilege principles, and endpoint protection that can detect kernel exploitation attempts.
🎯 Exploit Status
Multiple proof-of-concept exploits are publicly available. Exploitation requires local access and valid user credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates released in July 2023 and later
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35356
Restart Required: Yes
Instructions:
1. Apply Windows Update from Settings > Update & Security > Windows Update. 2. For enterprise environments, deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Restrict local access
windowsLimit local login capabilities to reduce attack surface
Implement least privilege
windowsEnsure users operate with minimal necessary privileges
🧯 If You Can't Patch
- Implement strict access controls and monitor for privilege escalation attempts
- Deploy endpoint detection and response (EDR) solutions with kernel protection capabilities
🔍 How to Verify
Check if Vulnerable:
Check Windows Update history for July 2023 security updates or use: wmic qfe list | findstr "KB5028166 KB5028168 KB5028171"Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify security update KB5028166 (Windows 10), KB5028168 (Windows 11), or KB5028171 (Server) is installed📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with suspicious parent processes
- Unexpected privilege escalation events
- Kernel mode driver loading
Network Indicators:
- Lateral movement from previously compromised systems
- Unusual authentication patterns
SIEM Query:
EventID=4688 AND (NewProcessName="*cmd.exe" OR NewProcessName="*powershell.exe") AND ParentProcessName="*explorer.exe" | where TokenElevationType="%%1938"🔗 References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35356
- http://packetstormsecurity.com/files/174115/Microsoft-Windows-Kernel-Arbitrary-Read.html
- http://packetstormsecurity.com/files/174118/Microsoft-Windows-Kernel-Security-Descriptor-Use-After-Free.html
- http://packetstormsecurity.com/files/176451/Microsoft-Windows-Registry-Predefined-Keys-Privilege-Escalation.html
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35356
