CVE-2023-36585

Q: What is the severity of CVE-2023-36585?

CVE-2023-36585 has a CVSS score of 7.5 (HIGH). This vulnerability in Windows upnphost.dll allows attackers to cause a denial of service (DoS) by sending specially crafted requests to the Universal Plug and Play (UPnP) service. It affects Windows systems with the UPnP service enabled, potentially causing system crashes or service disruptions.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability in Windows upnphost.dll allows attackers to cause a denial of service (DoS) by sending specially crafted requests to the Universal Plug and Play (UPnP) service. It affects Windows systems with the UPnP service enabled, potentially causing system crashes or service disruptions.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires UPnP service to be running. Some Windows Server editions may have UPnP disabled by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system crash requiring reboot, disrupting all services on the affected machine

🟠

Likely Case

UPnP service crash causing temporary loss of UPnP functionality until service restart

🟢

If Mitigated

Minimal impact with proper network segmentation and UPnP disabled on internet-facing systems

🌐 Internet-Facing: MEDIUM - UPnP should not be exposed to internet, but if misconfigured, could be exploited remotely

🏢 Internal Only: LOW - Requires network access to UPnP service, typically only exploitable from local network

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to UPnP service (port 2869/tcp typically). No authentication needed to trigger the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2023 security updates (KB5031356 for Windows 10, KB5031354 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36585

Restart Required: Yes

Instructions:

1. Install October 2023 Windows security updates via Windows Update. 2. Alternatively, download and install the specific KB patch for your Windows version from Microsoft Update Catalog. 3. Restart the system after installation.

🔧 Temporary Workarounds

Disable UPnP Service

windows

Disables the UPnP Device Host service to prevent exploitation

sc config upnphost start= disabled
sc stop upnphost

Block UPnP Network Access

windows

Blocks network access to UPnP service via firewall

netsh advfirewall firewall add rule name="Block UPnP" dir=in action=block protocol=TCP localport=2869

🧯 If You Can't Patch

Disable UPnP service on all affected systems
Implement network segmentation to restrict access to UPnP service (port 2869/tcp)

🔍 How to Verify

Check if Vulnerable:

Check if October 2023 security updates are installed via 'systeminfo' command or Windows Update history

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify patch installation with 'wmic qfe list' or check Windows Update history for KB5031356/KB5031354

📡 Detection & Monitoring

Log Indicators:

Event ID 1000 in Application logs with faulting module upnphost.dll
UPnP service crashes in System logs

Network Indicators:

Unusual traffic to port 2869/tcp
Multiple connection attempts to UPnP service

SIEM Query:

source="windows" event_id=1000 faulting_module="upnphost.dll"

📊 Metadata

CVE ID: CVE-2023-36585

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-20

Published: October 10, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36585 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36585 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h1 by Microsoft

Windows 10 21h1 by Microsoft

Windows 10 21h1 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable UPnP Service

Block UPnP Network Access

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities