CVE-2023-36723
📋 TL;DR
This vulnerability in Windows Container Manager Service allows an authenticated attacker to gain SYSTEM-level privileges by exploiting improper link resolution. It affects Windows systems running containerized workloads where an attacker has initial access.
💻 Affected Systems
- Windows Container Manager Service
📦 What is this software?
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 21h2 by Microsoft
Windows 11 22h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges, enabling complete control over the host, lateral movement, and persistence establishment.
Likely Case
Privilege escalation from a lower-privileged user account to SYSTEM, allowing access to sensitive data and system configuration.
If Mitigated
Limited impact if proper access controls and container isolation are enforced, restricting initial attacker foothold.
🎯 Exploit Status
Requires authenticated access and knowledge of container service interaction; no public exploit available as of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: October 2023 security updates (KB5031356 for Windows 11, KB5031354 for Windows 10, etc.)
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36723
Restart Required: Yes
Instructions:
1. Apply October 2023 Windows security updates via Windows Update. 2. For enterprise: Deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Verify update installation and restart systems.
🔧 Temporary Workarounds
Disable Windows Container feature
windowsRemoves vulnerable component if not required for operations
Disable-WindowsOptionalFeature -Online -FeatureName Containers
Restrict container service permissions
windowsLimit access to Container Manager Service to authorized users only
sc.exe sdset "cbdhsvc" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
🧯 If You Can't Patch
- Implement strict access controls and least privilege principles for container operations
- Monitor and audit container service activities for suspicious behavior
🔍 How to Verify
Check if Vulnerable:
Check Windows version and if October 2023 security updates are installed via 'systeminfo' commandCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify KB5031356 (Windows 11) or KB5031354 (Windows 10) is installed in Installed Updates📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with Container Manager Service privilege escalation
- Unusual container service process creation
Network Indicators:
- Unexpected container service communication patterns
SIEM Query:
EventID=4688 AND NewProcessName="*\ContainerManager*" AND TokenElevationType=%%1938