CVE-2023-36401

Q: What is the severity of CVE-2023-36401?

CVE-2023-36401 has a CVSS score of 7.2 (HIGH). This vulnerability in Microsoft Remote Registry Service allows authenticated attackers to execute arbitrary code remotely on affected systems. It affects Windows servers and workstations where the Remote Registry service is enabled, potentially leading to full system compromise.

7.2 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability in Microsoft Remote Registry Service allows authenticated attackers to execute arbitrary code remotely on affected systems. It affects Windows servers and workstations where the Remote Registry service is enabled, potentially leading to full system compromise.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows Server 2019, Windows Server 2022, Windows 10, Windows 11

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Remote Registry service to be enabled and accessible. Default configurations may be vulnerable if service is enabled.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Privilege escalation leading to lateral movement within the network and data exfiltration.

🟢

If Mitigated

Limited impact due to network segmentation and proper authentication controls restricting access to vulnerable services.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authentication to the target system. No public exploit code available at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply latest Windows security updates from October 2023 or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36401

Restart Required: Yes

Instructions:

1. Install Windows updates via Windows Update or WSUS. 2. Apply the October 2023 security updates. 3. Restart the system to complete installation.

🔧 Temporary Workarounds

Disable Remote Registry Service

windows

Disables the vulnerable service to prevent exploitation

sc config RemoteRegistry start= disabled
sc stop RemoteRegistry

Block Remote Registry Ports

windows

Blocks network access to Remote Registry service

netsh advfirewall firewall add rule name="Block Remote Registry" dir=in action=block protocol=TCP localport=445

🧯 If You Can't Patch

Disable Remote Registry service on all affected systems
Implement network segmentation to restrict access to vulnerable systems

🔍 How to Verify

Check if Vulnerable:

Check if Remote Registry service is running and system has not received October 2023 security updates

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update history shows October 2023 security updates installed

📡 Detection & Monitoring

Log Indicators:

Unusual Remote Registry service activity
Failed authentication attempts to Remote Registry
Process creation from Remote Registry service

Network Indicators:

Unusual SMB traffic to port 445
Remote Registry protocol anomalies

SIEM Query:

source="windows" AND (event_id=4625 OR event_id=4688) AND process_name="svchost.exe" AND service_name="RemoteRegistry"

📊 Metadata

CVE ID: CVE-2023-36401

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: November 14, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36401 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36401 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Remote Registry Service

Block Remote Registry Ports

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities