CVE-2023-36705

Q: What is the severity of CVE-2023-36705?

CVE-2023-36705 has a CVSS score of 7.8 (HIGH). This Windows Installer vulnerability allows attackers to elevate privileges on affected systems by exploiting improper handling of file operations. It affects Windows systems where an attacker can execute code with limited privileges. Successful exploitation enables attackers to gain SYSTEM-level access.

7.8 HIGH

📋 TL;DR

This Windows Installer vulnerability allows attackers to elevate privileges on affected systems by exploiting improper handling of file operations. It affects Windows systems where an attacker can execute code with limited privileges. Successful exploitation enables attackers to gain SYSTEM-level access.

💻 Affected Systems

Products:

Windows Installer

Versions: Multiple Windows versions - see Microsoft advisory for specific affected versions

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with Windows Installer service enabled. Requires attacker to have ability to execute code on the target system.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install unauthorized software, and access sensitive system resources.

🟢

If Mitigated

Limited impact if proper access controls, least privilege principles, and application allowlisting are implemented.

🌐 Internet-Facing: LOW - Requires local access or ability to execute code on the target system.

🏢 Internal Only: HIGH - Significant risk from insider threats, compromised user accounts, or malware that gains initial foothold.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access and ability to execute code. No public exploit code available at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security updates released in September 2023 Patch Tuesday

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36705

Restart Required: Yes

Instructions:

1. Apply latest Windows security updates via Windows Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Verify installation via Windows Update history.

🔧 Temporary Workarounds

Disable Windows Installer service

windows

Temporarily disable Windows Installer service to prevent exploitation (may break legitimate software installation)

sc config msiserver start= disabled
net stop msiserver

Implement application control policies

windows

Use Windows Defender Application Control or AppLocker to restrict unauthorized software execution

🧯 If You Can't Patch

Implement strict least privilege principles - ensure users run with minimal necessary permissions
Enable Windows Defender Exploit Guard and configure Attack Surface Reduction rules

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for September 2023 security updates or use: wmic qfe list | findstr "KB"

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5030217 (or later) is installed via: wmic qfe get hotfixid | findstr "KB5030217"

📡 Detection & Monitoring

Log Indicators:

Windows Installer service unusual activity
Event ID 11707, 11724 in Application logs
Unexpected SYSTEM privilege escalation

Network Indicators:

Not network exploitable - local privilege escalation only

SIEM Query:

EventID=11707 OR EventID=11724 | where ProcessName contains "msiexec" | where User contains "SYSTEM"

📊 Metadata

CVE ID: CVE-2023-36705

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-59

Published: November 14, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36705 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36705 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

Windows Server 2022 23h2 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Windows Installer service

Implement application control policies

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities