CVE-2023-21768
published 2023-01-10CVE-2023-21768: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
65.42%
99.2th percentile
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_11 | — | — |
| microsoft | windows_11 | — | — |
| microsoft | windows_11_version_21h2 | >= 10.0.0 < 10.0.22000.1455 | 10.0.22000.1455 |
| microsoft | windows_11_version_22h2 | >= 10.0.22621.0 < 10.0.22621.1105 | 10.0.22621.1105 |
| microsoft | windows_server_2022 | >= 10.0.20348.0 < 10.0.20348.1487 | 10.0.20348.1487 |
| msrc | windows_11_version_21h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_21h2_for_x64-based_systems | — | — |
| msrc | windows_11_version_22h2_for_arm64-based_systems | — | — |
| msrc | windows_11_version_22h2_for_x64-based_systems | — | — |
| msrc | windows_server_2022 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for malicious IOCTL requests sent to the AFD driver (afd.sys) from user-mode processes, which may indicate exploitation of the Write-Where primitive via AfdNotifyRemoveIoCompletion. ↗
- →Exploit targets Windows 11 22H2 up to build 22621.963 only; detections should focus on unpatched systems at or below this build (patched by January 2023 updates KB5022291, KB5022287, KB5022303). ↗
- →CVE-2023-21768 is included as a revert-patch example in the Windows Downdate tool; monitor for downgrade attacks that re-expose this vulnerability on otherwise patched systems. ↗
- ·The exploit is scoped exclusively to Windows 11 22H2 and Windows Server 2022 22H2; other Windows versions are not affected. ↗
- ·The Metasploit module confirms the upper build boundary: exploitation is only possible up to build 22621.963, patched by the January 2023 cumulative updates. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck7.8HIGH
vendor_redhat8.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j69v-7pj3-vg67: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
ghsa_unreviewed·2023-01-11
CVE-2023-21768 [HIGH] GHSA-j69v-7pj3-vg67: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability.
VulnCheck
Windows Ancillary Function Driver for WinSock Privilege Escalation
vulncheck·2023·CVSS 7.8
CVE-2023-21768 [HIGH] Windows Ancillary Function Driver for WinSock Privilege Escalation
Windows Ancillary Function Driver for WinSock Privilege Escalation
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://securityintelligence.com/posts/patch-tuesday-exploit-wednesday-pwning-windows-ancillary-function-driver-winsock/; https://ti.qianxin.com/uploads/2024/02/02/dcc93e586f9028c68e7ab34c3326ff31.pdf
Exploit PoC: https://vulncheck.com/xdb/a2215d69e357; https://vulncheck.com/xdb/784b586cbad4; https://vulncheck.com/xdb/1c3e7f162c3a; https://vuln
Red Hat
gstreamer-plugins-bad: Integer overflow in H.265 video parser leading to stack overwrite
vendor_redhat·2023-09-20·CVSS 8.8
CVE-2023-40476 [HIGH] CWE-190 gstreamer-plugins-bad: Integer overflow in H.265 video parser leading to stack overwrite
gstreamer-plugins-bad: Integer overflow in H.265 video parser leading to stack overwrite
GStreamer H265 Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the parsing of H265 encoded video files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.
. Was ZDI-CAN-21768.
A stack-based buffer overflow was found
Microsoft
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
vendor_msrc·2023-01-10·CVSS 7.8
CVE-2023-21768 [HIGH] CWE-822 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability?
An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Windows Ancillary Function Driver for WinSock: Windows Ancillary Function Driver for WinSock
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation More Likely;DOS:N/A
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5022291
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5022287
Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB502230
No detection rules found.
Bleepingcomputer
Windows Downdate tool lets you 'unpatch' Windows systems
blogs_bleepingcomputer·2024-08-27·CVSS 7.8
[HIGH] Windows Downdate tool lets you 'unpatch' Windows systems
## Windows Downdate tool lets you 'unpatch' Windows systems
## Sergiu Gatlan
Leviev has also shared multiple usage examples that allow downgrading the Hyper-V hypervisor (to a two-year-old version), Windows Kernel, the NTFS driver, and the Filter Manager driver (to their base versions), and other Windows components and previously applied security patches.
"You can use it to take over Windows Updates to downgrade and expose past vulnerabilities sourced in DLLs, drivers, the NT kernel, the Secure Kernel, the Hypervisor, IUM trustlets and more," SafeBreach security researcher Alon Leviev explained .
"Other than custom downgrades, Windows Downdate provides easy to use usage examples of reverting patches for CVE-2021-27090, CVE-2022-34709, CVE-2023-21768 and PPLFault, as well as examples fo
Sentinelone
CVE-2023-21768: Windows Local Privilege Escalation Vulnerability
blogs_sentinelone·2023-03-20·CVSS 7.8
CVE-2023-21768 [HIGH] CVE-2023-21768: Windows Local Privilege Escalation Vulnerability
Recently, Microsoft released a security advisory for a vulnerability in the Windows Ancillary Function Driver (AFD) that could lead to the elevation of privilege. This vulnerability, identified as CVE-2023-21768, affects the AFD driver in Windows Server 2022 and Windows 11 22H2, and an attacker could exploit it to execute arbitrary code with elevated privileges.
## Vulnerability Details (CVE-2023-21768)
To understand the vulnerability, it’s important first to understand what AFD is and what it does. AFD is a kernel-mode driver that supports WinSock, a programming interface for accessing network services in Windows.
AFD is responsible for managing network sockets, which are the endpoints of communication channels between programs on a network. Sockets allow programs to send and receive d
Sentinelone
CVE-2023-21768: Windows Local Privilege Escalation Vulnerability
blogs_sentinelone·2023-03-20·CVSS 7.8
CVE-2023-21768 [HIGH] CVE-2023-21768: Windows Local Privilege Escalation Vulnerability
Recently, Microsoft released a security advisory for a vulnerability in the Windows Ancillary Function Driver (AFD) that could lead to the elevation of privilege. This vulnerability, identified as CVE-2023-21768, affects the AFD driver in Windows Server 2022 and Windows 11 22H2, and an attacker could exploit it to execute arbitrary code with elevated privileges.
## Vulnerability Details (CVE-2023-21768)
To understand the vulnerability, it’s important first to understand what AFD is and what it does. AFD is a kernel-mode driver that supports WinSock, a programming interface for accessing network services in Windows.
AFD is responsible for managing network sockets, which are the endpoints of communication channels between programs on a network. Sockets allow programs to send and receive d
Sentinelone
Cloud Computing Myths | Top 5 Misconceptions
blogs_sentinelone·2023-03-15
Cloud Computing Myths | Top 5 Misconceptions
Three years ago, during the global pandemic, businesses worldwide shifted their focus to delivering services digitally, supported by remote workforces and virtual environments. Many of these businesses hastily spun up cloud infrastructures to bolster critical aspects of their operations.
Threat actors saw an opportunity during this time and data breaches and cyberattacks targeting the cloud rose alongside cloud adoption. Now, leaders are shifting their focus again: This time to implement better strategies to secure the cloud infrastructures that carried them through the pandemic.
With so many myths and misconceptions surrounding cloud security, it is essential for business leaders to separate fact from fiction regarding how to secure the cloud. In this post, we debunk the top five myths
Talos
Microsoft Patch Tuesday for January 2023 — Snort rules and prominent vulnerabilities
blogs_talos·2023-01-10·CVSS 8.1
CVE-2023-21743 [HIGH] Microsoft Patch Tuesday for January 2023 — Snort rules and prominent vulnerabilities
Microsoft released its monthly security update on Tuesday, disclosing 98 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 87 are classified as “Important”, no vulnerability classified as “Moderate.”
According to Microsoft all “Critical“ vulnerability are either less likely or unlikely to be exploited, except of the security bypass vulnerability CVE-2023-21743 on Microsoft SharePoint Server machines. This vulnerability has a low complexity and can be easily triggered by an attacker. In a network-based attack, an unauthenticated user could make an anonymous connection to the targeted SharePoint server.
Two of the “Critical“ vulnerabilities, which Microsoft considers to be “less likely” to be exploited due to their complexity are CVE-2023-21535 and CVE-2023-21548.
Talos
Microsoft Patch Tuesday for January 2023 — Snort rules and prominent vulnerabilities
blogs_talos·2023-01-10·CVSS 8.1
CVE-2023-21743 [HIGH] Microsoft Patch Tuesday for January 2023 — Snort rules and prominent vulnerabilities
## Microsoft Patch Tuesday for January 2023 — Snort rules and prominent vulnerabilities
Microsoft released its monthly security update on Tuesday, disclosing 98 vulnerabilities. Of these vulnerabilities, 11 are classified as “Critical”, 87 are classified as “Important”, no vulnerability classified as “Moderate.”
According to Microsoft all “Critical“ vulnerability are either less likely or unlikely to be exploited, except of the security bypass vulnerability CVE-2023-21743 on Microsoft SharePoint Server machines. This vulnerability has a low complexity and can be easily triggered by an attacker. In a network-based attack, an unauthenticated user could make an anonymous connection to the targeted SharePoint server.
Two of the “Critical“ vulnerabilities, which Microsoft considers to be “le
2023-01-10
Published
Exploited in the wild