CVE-2023-36424

Q: What is the severity of CVE-2023-36424?

CVE-2023-36424 has a CVSS score of 7.8 (HIGH). This vulnerability in the Windows Common Log File System (CLFS) driver allows an authenticated attacker to gain SYSTEM-level privileges through a local exploit. It affects Windows systems where an attacker already has some level of access. Successful exploitation requires the attacker to have the ability to execute code on the target system.

7.8 HIGH

📋 TL;DR

This vulnerability in the Windows Common Log File System (CLFS) driver allows an authenticated attacker to gain SYSTEM-level privileges through a local exploit. It affects Windows systems where an attacker already has some level of access. Successful exploitation requires the attacker to have the ability to execute code on the target system.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2019, Windows Server 2022, and earlier supported versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: All systems running affected Windows versions with the CLFS driver enabled are vulnerable by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement across the network.

🟠

Likely Case

Privilege escalation from a standard user or lower-privileged service account to SYSTEM, allowing installation of malware, disabling security controls, or accessing sensitive data.

🟢

If Mitigated

Limited impact if proper endpoint protection, application control, and least privilege principles are enforced, though local privilege escalation remains possible.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the system.

🏢 Internal Only: HIGH - Malicious insiders or attackers who have compromised user credentials can exploit this to gain full system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and the ability to execute code. No public proof-of-concept has been released as of the last update.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the October 2023 security updates or later from Microsoft

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36424

Restart Required: Yes

Instructions:

1. Open Windows Update settings. 2. Check for updates. 3. Install all available security updates. 4. Restart the system when prompted.

🔧 Temporary Workarounds

Restrict local user privileges

windows

Implement least privilege principles to limit what authenticated users can do, reducing the impact of successful exploitation.

🧯 If You Can't Patch

Implement strict application control policies to prevent unauthorized code execution
Monitor for suspicious privilege escalation attempts using endpoint detection and response (EDR) tools

🔍 How to Verify

Check if Vulnerable:

Check if the system has the October 2023 security updates installed. Systems without these updates are vulnerable.

Check Version:

wmic qfe list | findstr "KB5031356" or check Settings > Update & Security > Windows Update > View update history

Verify Fix Applied:

Verify that KB5031356 (for Windows 10) or equivalent October 2023 security updates are installed and the system has been restarted.

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with privileged process creation from non-privileged users
Unexpected SYSTEM-level process execution

Network Indicators:

None - this is a local exploit

SIEM Query:

EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1938"

📊 Metadata

CVE ID: CVE-2023-36424

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: November 14, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36424 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36424 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local user privileges

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities