CVE-2023-38184

Q: What is the severity of CVE-2023-38184?

CVE-2023-38184 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to execute arbitrary code on Windows systems running LDAP services by exploiting a use-after-free memory corruption flaw. It affects Windows servers and workstations with LDAP enabled, particularly domain controllers and systems using Active Directory. Successful exploitation could lead to complete system compromise.

7.5 HIGH

Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Windows systems running LDAP services by exploiting a use-after-free memory corruption flaw. It affects Windows servers and workstations with LDAP enabled, particularly domain controllers and systems using Active Directory. Successful exploitation could lead to complete system compromise.

💻 Affected Systems

Products:

Windows Server
Windows Client

Versions: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with LDAP services enabled are vulnerable; domain controllers are particularly at risk.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, enabling attacker persistence, lateral movement, and data exfiltration across the network.

🟠

Likely Case

Remote code execution leading to service disruption, credential theft, and installation of malware/backdoors on affected systems.

🟢

If Mitigated

Limited impact with proper network segmentation, patch management, and LDAP hardening; exploitation attempts would be blocked or detected.

🌐 Internet-Facing: MEDIUM - LDAP services should not be internet-facing, but misconfigured systems could be exposed.

🏢 Internal Only: HIGH - Internal attackers or compromised systems could exploit this to move laterally within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Microsoft rates this as 'Exploitation More Likely' in their advisory. The vulnerability requires sending specially crafted LDAP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply the October 2023 security updates or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38184

Restart Required: Yes

Instructions:

1. Apply Windows updates from October 2023 or later. 2. For domain controllers, install updates during maintenance windows. 3. Restart affected systems after patching.

🔧 Temporary Workarounds

Block LDAP ports at network perimeter

all

Prevent external access to LDAP services (TCP/UDP 389, 636, 3268, 3269)

Use firewall rules to block inbound LDAP traffic from untrusted networks

Enable LDAP channel binding and signing

windows

Harden LDAP communication to make exploitation more difficult

Configure Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > 'Network security: LDAP client signing requirements' = 'Require signing'

🧯 If You Can't Patch

Implement strict network segmentation to isolate LDAP servers from untrusted networks
Deploy intrusion detection/prevention systems to monitor for LDAP exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if system has October 2023 security updates installed via 'systeminfo' or Windows Update history

Check Version:

wmic qfe list | findstr KB5031356

Verify Fix Applied:

Verify KB5031356 (October 2023) or later security updates are installed and system has been restarted

📡 Detection & Monitoring

Log Indicators:

Unusual LDAP query patterns in Windows Event Logs (Event ID 2889)
Multiple failed LDAP authentication attempts
Unexpected process creation from lsass.exe

Network Indicators:

Unusual LDAP traffic patterns
LDAP requests with malformed packets
Traffic to LDAP ports from unexpected sources

SIEM Query:

source="Windows Security" EventID=4688 NewProcessName="*" ParentProcessName="lsass.exe"

📊 Metadata

CVE ID: CVE-2023-38184

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: August 8, 2023

Last Updated: November 21, 2024

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38184 Patch,Vendor Advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38184 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 21h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Block LDAP ports at network perimeter

Enable LDAP channel binding and signing

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities