CVE-2023-36770 – CVE-2023-36770 is a heap-based buffer overflow ... (How to Fix)

Q: What is the severity of CVE-2023-36770?

CVE-2023-36770 has a CVSS score of 7.8 (HIGH). CVE-2023-36770 is a heap-based buffer overflow vulnerability in Microsoft 3D Builder that allows remote code execution when processing specially crafted 3D model files. Attackers can exploit this by tricking users into opening malicious files, potentially gaining the same privileges as the current user. This affects users of Microsoft 3D Builder on Windows systems.

📋 TL;DR

CVE-2023-36770 is a heap-based buffer overflow vulnerability in Microsoft 3D Builder that allows remote code execution when processing specially crafted 3D model files. Attackers can exploit this by tricking users into opening malicious files, potentially gaining the same privileges as the current user. This affects users of Microsoft 3D Builder on Windows systems.

💻 Affected Systems

Products:

Microsoft 3D Builder

Versions: All versions prior to the security update

Operating Systems: Windows 10, Windows 11

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user interaction to open malicious 3D file. App is pre-installed on some Windows versions but may not be actively used.

📦 What is this software?

3d Builder by Microsoft

View all CVEs affecting 3d Builder →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining SYSTEM privileges, installing malware, stealing credentials, and establishing persistence.

🟠

Likely Case

Attacker gains user-level privileges, executes arbitrary code, installs ransomware or spyware, and accesses sensitive user data.

🟢

If Mitigated

Limited impact with proper application sandboxing, user running with minimal privileges, and network segmentation preventing lateral movement.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening malicious file). No public exploit code available at disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security update through Windows Update

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36770

Restart Required: Yes

Instructions:

1. Open Windows Update Settings. 2. Click 'Check for updates'. 3. Install all available security updates. 4. Restart computer if prompted.

🔧 Temporary Workarounds

Uninstall 3D Builder

windows

Remove the vulnerable application if not needed

Get-AppxPackage Microsoft.3DBuilder | Remove-AppxPackage

Disable file type associations

windows

Prevent 3D files from automatically opening in 3D Builder

🧯 If You Can't Patch

Implement application allowlisting to block 3D Builder execution
Educate users not to open 3D files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check if 3D Builder is installed and hasn't received recent Windows security updates

Check Version:

Get-AppxPackage Microsoft.3DBuilder | Select Version

Verify Fix Applied:

Verify Windows Update history shows September 2023 security updates installed

📡 Detection & Monitoring

Log Indicators:

Process creation events for 3DBuilder.exe with suspicious parent processes
Application crash logs for 3D Builder

Network Indicators:

Downloads of 3D file extensions (.3mf, .stl, .obj) from untrusted sources

SIEM Query:

source="Windows Security" EventID=4688 ProcessName="3DBuilder.exe"

📊 Metadata

CVE ID: CVE-2023-36770

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: September 12, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36770 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36770 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36770, you might also want to check these: