CVE-2023-35638
📋 TL;DR
This vulnerability in the Windows DHCP Server service allows an attacker to send specially crafted packets that cause a denial of service (DoS) condition. The service crashes, preventing DHCP from assigning IP addresses to clients. This affects Windows Server systems running the DHCP Server role.
💻 Affected Systems
- Windows Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete DHCP service outage across the network, preventing new devices from joining and existing clients from renewing leases, leading to widespread network connectivity failures.
Likely Case
DHCP service crashes requiring manual restart, causing temporary IP assignment failures for new devices and lease renewals until service is restored.
If Mitigated
Service automatically restarts via Windows service recovery options, causing brief DHCP interruptions but maintaining overall network functionality.
🎯 Exploit Status
Exploitation requires network access to the DHCP server port (UDP 67). No authentication is required to send the malicious packets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates released in December 2023
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35638
Restart Required: Yes
Instructions:
1. Apply the December 2023 security updates from Windows Update. 2. For manual installation, download the appropriate security update from Microsoft Update Catalog. 3. Install the update and restart the server.
🔧 Temporary Workarounds
Block unauthorized DHCP traffic
allConfigure network firewalls to only allow DHCP traffic from authorized sources and networks.
Implement DHCP failover
windowsConfigure DHCP failover to maintain service if primary server goes down.
🧯 If You Can't Patch
- Segment DHCP servers on isolated network segments with strict firewall rules
- Implement network monitoring and alerting for DHCP service crashes
🔍 How to Verify
Check if Vulnerable:
Check if DHCP Server role is installed and running on affected Windows Server versions (2019, 2022, 23H2) without December 2023 security updates.Check Version:
wmic os get caption, version, buildnumber, osarchitectureVerify Fix Applied:
Verify that December 2023 security updates are installed and the DHCP service is running normally.📡 Detection & Monitoring
Log Indicators:
- Event ID 1014 from source DhcpServer indicating service crash
- Unexpected DHCP service restarts in System logs
Network Indicators:
- Unusual UDP traffic to port 67 from unexpected sources
- DHCP DISCOVER packets with malformed options
SIEM Query:
source="WinEventLog:System" AND (EventCode=1014 AND SourceName="DhcpServer") OR (EventCode=7036 AND ServiceName="DHCPServer" AND Message="stopped")