Login Sign Up

CVE-2023-36631

7.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows local unprivileged users to bypass Windows Firewall restrictions through the Malwarebytes Windows Firewall Control interface. It affects users of Windows Firewall Control 6.9.2.0 who haven't enabled the password protection feature. The vendor considers this intended behavior since password protection is available.

💻 Affected Systems

Products:
  • Malwarebytes Binisoft Windows Firewall Control
Versions: 6.9.2.0
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable by default unless password protection is enabled. The vendor states this is intended behavior as password protection is available.

📦 What is this software?

Binisoft Windows Firewall Control by Malwarebytes

View all CVEs affecting Binisoft Windows Firewall Control →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with local access could disable firewall rules, allowing malicious network traffic to bypass security controls and potentially enabling lateral movement, data exfiltration, or remote access.

🟠

Likely Case

Local users could modify firewall rules to allow unauthorized network connections, potentially bypassing security policies for applications or services.

🟢

If Mitigated

With password protection enabled, the vulnerability is effectively mitigated as unauthorized users cannot access the rules interface.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the system.
🏢 Internal Only: HIGH - Any local user (including standard users) can potentially bypass firewall restrictions, posing significant risk in multi-user environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access to the system and involves using the GUI interface to modify firewall rules. No special privileges needed beyond standard user access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch available. The vendor considers this intended behavior. Enable password protection in Windows Firewall Control settings to mitigate.

🔧 Temporary Workarounds

Enable Password Protection

windows

Set a password in Windows Firewall Control to prevent unauthorized access to the rules interface.

Open Windows Firewall Control > Settings > General > Enable 'Password protect settings' and set a strong password

Restrict Local Access

all

Limit physical and remote access to systems running vulnerable software to trusted users only.

🧯 If You Can't Patch

  • Enable password protection in Windows Firewall Control immediately
  • Monitor for unauthorized firewall rule changes and implement strict access controls

🔍 How to Verify

Check if Vulnerable:

Check if Windows Firewall Control 6.9.2.0 is installed and password protection is disabled in settings.

Check Version:

Check Windows Firewall Control About dialog or program properties for version information

Verify Fix Applied:

Verify password protection is enabled and test that unauthorized users cannot modify firewall rules through the interface.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected firewall rule modifications
  • Access to Windows Firewall Control interface by non-admin users

Network Indicators:

  • Unexpected network connections bypassing firewall rules
  • Traffic from applications that should be blocked

SIEM Query:

Search for event logs related to firewall rule changes or access to wfc.exe by standard users

📊 Metadata

CVE ID: CVE-2023-36631
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: June 26, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON