CVE-2023-36405 – This Windows kernel vulnerability allows an aut... (How to Fix)

Q: What is the severity of CVE-2023-36405?

CVE-2023-36405 has a CVSS score of 7.0 (HIGH). This Windows kernel vulnerability allows an authenticated attacker to execute arbitrary code with elevated SYSTEM privileges. It affects Windows systems where an attacker already has local access. Successful exploitation requires the attacker to have initial access to the target system.

📋 TL;DR

This Windows kernel vulnerability allows an authenticated attacker to execute arbitrary code with elevated SYSTEM privileges. It affects Windows systems where an attacker already has local access. Successful exploitation requires the attacker to have initial access to the target system.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected Windows versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full SYSTEM privileges, enabling complete system compromise, persistence installation, credential theft, and lateral movement across the network.

🟠

Likely Case

Privilege escalation from a standard user or lower-privileged account to SYSTEM, allowing installation of malware, disabling security controls, or accessing protected resources.

🟢

If Mitigated

Limited impact due to proper patch management, endpoint protection, and least privilege principles preventing initial access.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the system.

🏢 Internal Only: HIGH - Attackers with internal network access or compromised user accounts can exploit this to escalate privileges and move laterally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and knowledge of kernel exploitation techniques. No public exploit code is available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the October 2023 Windows security updates (KB5031356 for Windows 10, KB5031354 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36405

Restart Required: Yes

Instructions:

1. Open Windows Update settings. 2. Click 'Check for updates'. 3. Install all available security updates. 4. Restart the system when prompted.

🔧 Temporary Workarounds

Restrict local access

windows

Limit who has local login access to critical systems to reduce attack surface

Implement least privilege

windows

Ensure users operate with minimal necessary privileges to limit impact of successful exploitation

🧯 If You Can't Patch

Implement strict access controls and network segmentation to limit lateral movement
Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if October 2023 Windows security updates are installed via 'winver' command or Windows Update history

Check Version:

winver

Verify Fix Applied:

Verify KB5031356 (Windows 10) or KB5031354 (Windows 11) is installed in Windows Update history

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4688 (process creation) showing unexpected SYSTEM privilege processes
Event ID 4672 (special privileges assigned)

Network Indicators:

Unusual outbound connections from SYSTEM processes
Lateral movement attempts following privilege escalation

SIEM Query:

EventID=4688 AND NewProcessName CONTAINS 'cmd.exe' AND SubjectUserName='SYSTEM' AND NOT ParentProcessName CONTAINS 'services.exe'

📊 Metadata

CVE ID: CVE-2023-36405

CVSS v3 Score: 7.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-362

Published: November 14, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36405 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36405 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36405, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local access

Implement least privilege

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities