CVE-2023-36657
📋 TL;DR
This vulnerability in OPSWAT MetaDefender KIOSK allows attackers to abuse built-in Windows features like desktop shortcuts and narrator to escalate privileges from a standard user to SYSTEM/administrator level. It affects OPSWAT MetaDefender KIOSK installations on Windows systems. This is a critical privilege escalation flaw with a CVSS score of 9.8.
💻 Affected Systems
- OPSWAT MetaDefender KIOSK
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where an attacker gains SYSTEM privileges, enabling installation of malware, data theft, lateral movement, and persistence mechanisms.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install unauthorized software, and access sensitive data on the kiosk system.
If Mitigated
Limited impact if proper network segmentation, least privilege, and monitoring are implemented, though local system compromise would still occur.
🎯 Exploit Status
Exploitation requires local access to the kiosk interface but uses simple Windows feature abuse techniques. The CWE-269 (Improper Privilege Management) classification suggests straightforward privilege escalation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 4.6.1.9996
Vendor Advisory: https://docs.opswat.com/mdkiosk/release-notes/cve-2023-36657
Restart Required: Yes
Instructions:
1. Update to the latest version of OPSWAT MetaDefender KIOSK. 2. Follow vendor update procedures from the release notes. 3. Restart the kiosk system after patching. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Windows Accessibility Features
windowsTemporarily disable or restrict Windows narrator and shortcut features that can be abused for privilege escalation.
gpedit.msc to configure Group Policy for accessibility features
regedit to modify registry settings for narrator and shortcut handlers
Enhanced Kiosk Lockdown
windowsImplement stricter kiosk lockdown policies to prevent access to Windows features and system utilities.
Configure Assigned Access or Kiosk Mode policies
Use AppLocker to restrict executable access
🧯 If You Can't Patch
- Implement strict physical security controls to prevent unauthorized access to kiosk systems.
- Deploy network segmentation to isolate kiosk systems from critical network resources.
🔍 How to Verify
Check if Vulnerable:
Check the MetaDefender KIOSK version in the application interface or system information. Versions 4.6.1.9996 and earlier are vulnerable.Check Version:
Check the application's About section or use Windows system information tools to verify the installed version.Verify Fix Applied:
Verify the installed version is newer than 4.6.1.9996 and test that Windows accessibility features cannot be abused for privilege escalation.📡 Detection & Monitoring
Log Indicators:
- Unexpected activation of Windows narrator or accessibility features
- Creation of unusual desktop shortcuts
- Processes running with elevated privileges from kiosk user context
Network Indicators:
- Unusual outbound connections from kiosk systems
- Attempts to download additional payloads
SIEM Query:
EventID 4688 OR Process Creation events showing narrator.exe or shortcut-related processes with elevated privileges from kiosk user accounts