CVE-2023-35643
📋 TL;DR
This vulnerability in the DHCP Server Service allows an attacker to read sensitive information from memory, potentially exposing credentials or other confidential data. It affects Windows Server systems running the DHCP Server role. Attackers must have network access to the DHCP server to exploit this.
💻 Affected Systems
- Windows Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could extract sensitive information like credentials, configuration secrets, or other memory-resident data from the DHCP server, leading to lateral movement or privilege escalation.
Likely Case
Information disclosure of DHCP server configuration details or network information that could aid in further attacks.
If Mitigated
Limited exposure of non-critical information with minimal impact on operations.
🎯 Exploit Status
Exploitation requires network access to the DHCP server and knowledge of the vulnerability. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply the latest Windows Server security updates from Microsoft (specific KB numbers vary by version)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-35643
Restart Required: Yes
Instructions:
1. Download and install the latest security update for your Windows Server version from Microsoft Update. 2. Restart the server to complete the installation.
🔧 Temporary Workarounds
Disable DHCP Server Service
windowsTemporarily disable the DHCP Server service if not required, but this will break DHCP functionality.
Stop-Service DHCPServer
Set-Service DHCPServer -StartupType Disabled
Restrict Network Access
windowsUse firewall rules to restrict access to the DHCP server (ports 67/UDP and 68/UDP) to only authorized clients.
New-NetFirewallRule -DisplayName "Block DHCP Except Trusted" -Direction Inbound -Protocol UDP -LocalPort 67,68 -RemoteAddress 192.168.1.0/24 -Action Allow
New-NetFirewallRule -DisplayName "Block All Other DHCP" -Direction Inbound -Protocol UDP -LocalPort 67,68 -Action Block
🧯 If You Can't Patch
- Implement strict network segmentation to isolate DHCP servers from untrusted networks.
- Monitor DHCP server logs for unusual activity and implement intrusion detection.
🔍 How to Verify
Check if Vulnerable:
Check if the system is running Windows Server with DHCP Server role and has not applied the latest security updates.Check Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify that the latest Windows Server security updates are installed and the system has been restarted.📡 Detection & Monitoring
Log Indicators:
- Unusual DHCP request patterns or errors in Windows Event Logs under Applications and Services Logs > Microsoft > Windows > DHCP-Server
Network Indicators:
- Abnormal traffic to DHCP server ports (67/UDP, 68/UDP) from unexpected sources
SIEM Query:
EventID: 1000-1999 from Source: DHCP-Server with abnormal frequency or from untrusted IPs