CVE-2023-36729 – This vulnerability allows an authenticated atta... (How to Fix)

Q: What is the severity of CVE-2023-36729?

CVE-2023-36729 has a CVSS score of 7.8 (HIGH). This vulnerability allows an authenticated attacker to exploit the Named Pipe File System to elevate privileges on a Windows system. It affects Windows operating systems where an attacker with low privileges can execute code locally. Successful exploitation could lead to SYSTEM-level access.

📋 TL;DR

This vulnerability allows an authenticated attacker to exploit the Named Pipe File System to elevate privileges on a Windows system. It affects Windows operating systems where an attacker with low privileges can execute code locally. Successful exploitation could lead to SYSTEM-level access.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations. Requires attacker to have ability to run code on the target system.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains SYSTEM privileges, enabling complete system compromise, data theft, persistence installation, and lateral movement.

🟠

Likely Case

Local privilege escalation from a standard user account to SYSTEM or administrator privileges on the compromised machine.

🟢

If Mitigated

Limited impact if proper access controls, least privilege principles, and network segmentation are enforced.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the system.

🏢 Internal Only: HIGH - Significant risk from insider threats, compromised user accounts, or malware that gains initial foothold.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and local code execution. No public exploit code available at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply September 2023 security updates or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36729

Restart Required: Yes

Instructions:

1. Apply Windows Update. 2. Select September 2023 security updates. 3. Restart system when prompted.

🔧 Temporary Workarounds

Restrict Named Pipe Access

windows

Configure security policies to restrict access to named pipes to only necessary users and services.

Use Windows Security Policy or Group Policy to modify named pipe permissions

🧯 If You Can't Patch

Implement strict least privilege principles for all user accounts
Enable Windows Defender Application Control or similar application whitelisting

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for September 2023 security updates. If not installed, system is vulnerable.

Check Version:

wmic os get caption, version, buildnumber

Verify Fix Applied:

Verify KB5030211 (or later September 2023 update) is installed via Windows Update history or 'wmic qfe list' command.

📡 Detection & Monitoring

Log Indicators:

Unusual named pipe creation events in Windows Security logs
Process creation events showing privilege escalation patterns

Network Indicators:

Not network exploitable - local privilege escalation only

SIEM Query:

EventID=4688 AND NewProcessName contains 'cmd.exe' OR 'powershell.exe' AND SubjectUserName != SYSTEM AND TokenElevationType != %%1936

📊 Metadata

CVE ID: CVE-2023-36729

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: October 10, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36729 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36729 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36729, you might also want to check these: