CVE-2023-36397

Q: What is the severity of CVE-2023-36397?

CVE-2023-36397 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code on affected Windows systems by sending specially crafted PGM (Pragmatic General Multicast) protocol packets. It affects Windows systems with the PGM feature enabled, primarily servers using Windows Server editions. Attackers can exploit this without authentication to gain SYSTEM-level privileges.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on affected Windows systems by sending specially crafted PGM (Pragmatic General Multicast) protocol packets. It affects Windows systems with the PGM feature enabled, primarily servers using Windows Server editions. Attackers can exploit this without authentication to gain SYSTEM-level privileges.

💻 Affected Systems

Products:

Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows 10
Windows 11

Versions: All supported versions prior to October 2023 security updates

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: PGM is not enabled by default on most Windows systems. Primarily affects systems where PGM has been explicitly enabled for multicast applications.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal data, create backdoors, or pivot to other systems on the network.

🟠

Likely Case

Remote code execution leading to ransomware deployment, data exfiltration, or botnet recruitment of vulnerable systems.

🟢

If Mitigated

Limited impact if systems are patched, network segmentation is implemented, and PGM is disabled on internet-facing systems.

🌐 Internet-Facing: HIGH - Systems with PGM enabled and exposed to the internet are directly vulnerable to remote exploitation without authentication.

🏢 Internal Only: MEDIUM - Internal systems with PGM enabled remain vulnerable to lateral movement if an attacker gains initial access to the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Microsoft has confirmed exploitation is more likely. The vulnerability requires no authentication and has a low attack complexity, making it attractive for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2023 security updates (KB5031358 for Windows 10, KB5031362 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36397

Restart Required: Yes

Instructions:

1. Apply October 2023 security updates from Windows Update. 2. For enterprise environments, deploy updates via WSUS, Configuration Manager, or Microsoft Intune. 3. Restart affected systems after patch installation.

🔧 Temporary Workarounds

Disable PGM Protocol

windows

Disables the Pragmatic General Multicast protocol to prevent exploitation

netsh int ipv4 set global mldlevel=none
netsh int ipv6 set global mldlevel=none

Block PGM Ports

all

Block PGM traffic at network perimeter

🧯 If You Can't Patch

Disable PGM protocol on all affected systems using netsh commands
Implement network segmentation to isolate systems with PGM enabled from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check if October 2023 security updates are installed via 'systeminfo' command or Windows Update history

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5031358 (Windows 10) or KB5031362 (Windows 11) or equivalent Server updates are installed

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4688 (process creation) with suspicious parent processes
Unexpected network connections to PGM ports (5351, 5352)

Network Indicators:

Unusual PGM protocol traffic from external sources
Spike in multicast traffic to vulnerable systems

SIEM Query:

EventID=4688 AND (ProcessName="cmd.exe" OR ProcessName="powershell.exe") AND ParentProcessName contains "svchost.exe" AND CommandLine contains suspicious patterns

📊 Metadata

CVE ID: CVE-2023-36397

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-126

Published: November 14, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36397 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36397 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable PGM Protocol

Block PGM Ports

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities