CVE-2023-36598

Q: What is the severity of CVE-2023-36598?

CVE-2023-36598 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on systems using Microsoft's WDAC ODBC Driver by exploiting a heap-based buffer overflow. It affects systems running Microsoft Windows with the vulnerable driver installed. Attackers could gain SYSTEM privileges on compromised systems.

7.8 HIGH

Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on systems using Microsoft's WDAC ODBC Driver by exploiting a heap-based buffer overflow. It affects systems running Microsoft Windows with the vulnerable driver installed. Attackers could gain SYSTEM privileges on compromised systems.

💻 Affected Systems

Products:

Microsoft Windows Defender Application Control ODBC Driver

Versions: All versions prior to security updates released in October 2023

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with WDAC policies using ODBC connections are vulnerable. The driver is included with Windows but may not be actively used on all systems.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Privilege escalation leading to lateral movement within networks, credential harvesting, and data exfiltration.

🟢

If Mitigated

Limited impact with proper network segmentation, least privilege principles, and endpoint protection blocking exploit attempts.

🌐 Internet-Facing: MEDIUM - Requires specific ODBC connections to be exposed, which is less common than web services.

🏢 Internal Only: HIGH - Internal attackers or compromised internal systems could exploit this for lateral movement and privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires the attacker to be able to send malicious data to the ODBC driver, typically through a compromised application or network access. No public exploits were available at disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2023 security updates (KB5031356 for Windows 10, KB5031354 for Windows 11, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36598

Restart Required: Yes

Instructions:

1. Apply October 2023 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart systems after update installation.

🔧 Temporary Workarounds

Disable WDAC ODBC Driver if unused

windows

Remove or disable the vulnerable driver if not required for business operations

sc stop wdacodbc
sc config wdacodbc start= disabled

Network segmentation

all

Restrict network access to systems using ODBC connections

🧯 If You Can't Patch

Implement strict network segmentation to isolate systems using ODBC connections
Deploy endpoint detection and response (EDR) solutions to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if October 2023 security updates are installed via 'systeminfo' command or Windows Update history

Check Version:

wmic qfe list | findstr KB5031356 (adjust KB number for your OS version)

Verify Fix Applied:

Verify KB5031356 (Windows 10) or KB5031354 (Windows 11) is installed and system has been restarted

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing ODBC driver crashes (Event ID 1000)
Unexpected process creation from odbc32.dll or related processes

Network Indicators:

Unusual ODBC connection attempts to database servers
Anomalous network traffic to/from systems using ODBC

SIEM Query:

EventID=1000 AND SourceName="Application Error" AND (Message="*odbc*" OR Message="*WDAC*")

📊 Metadata

CVE ID: CVE-2023-36598

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: October 10, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36598 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36598 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h1 by Microsoft

Windows 10 21h1 by Microsoft

Windows 10 21h1 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable WDAC ODBC Driver if unused

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities