**CRITICAL RISK** CVE-2023-28229 Microsoft Windows (Multiple Editions)- Unauthorised Escalation of Privilege to Superuser (‘SYSTEM’) Context via Race Condition in CNG Key Isolation Service (2024)

• Security Alerts

• October 5, 2023

Background & Context

Microsoft Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. As of September 2022, the most recent version of Windows is Windows 11 for consumer PCs and tablets, Windows 11 Enterprise for corporations, and Windows Server 2022 for servers.

Windows features an update to the crypto API known as Cryptography API: Next Generation (CNG). The CNG API is a user mode and kernel mode API that includes support for elliptic curve cryptography (ECC) and a number of newer algorithms that are part of the National Security Agency (NSA) Suite B. It is extensible, featuring support for plugging in custom cryptographic APIs into the CNG runtime. The CNG key isolation service is hosted in the LSA process. The service provides key process isolation to private keys and associated cryptographic operations as required by the Common Criteria. The service stores and uses long-lived keys in a secure process complying with Common Criteria requirements.

Vulnerability Summary

The CNG Key Isolation Service in Microsoft Windows contains a security vulnerability that permits unauthorised escalation of privileges if an attacker is able to win a race condition during between the initialization and addition of cryptographic keys.

Impact If Exploited

An attacker who successfully exploited this vulnerability could gain specific limited SYSTEM privileges and potentially execute arbitrary code or commands within that privileged context.

NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 2023-10-05. Prioritisation should be given to remediation in any impacted environment.

Affected Product Versions

• Windows Server 2012 R2 (Server Core installation) prior to release 6.3.9600.20919
• Windows Server 2012 R2 (Server Core installation) prior to release 6.3.9600.20919
• Windows Server 2012 R2 prior to release 6.3.9600.20919
• Windows Server 2012 R2 prior to release 6.3.9600.20919
• Windows Server 2012 (Server Core installation) prior to release 6.2.9200.24216
• Windows Server 2012 (Server Core installation) prior to release 6.2.9200.24216
• Windows Server 2012 prior to release 6.2.9200.24216
• Windows Server 2012 prior to release 6.2.9200.24216
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) prior to release 6.1.7601.26466
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) prior to release 6.1.7601.26466
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 prior to release 6.1.7601.26466
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 prior to release 6.1.7601.26466
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) prior to release 6.0.6003.22015
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) prior to release 6.0.6003.22015
• Windows Server 2008 for x64-based Systems Service Pack 2 prior to release 6.0.6003.22015
• Windows Server 2008 for x64-based Systems Service Pack 2 prior to release 6.0.6003.22015
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) prior to release 6.0.6003.22015
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) prior to release 6.0.6003.22015
• Windows Server 2008 for 32-bit Systems Service Pack 2 prior to release 6.0.6003.22015
• Windows Server 2008 for 32-bit Systems Service Pack 2 prior to release 6.0.6003.22015
• Windows Server 2016 (Server Core installation) prior to release 10.0.14393.5850
• Windows Server 2016 prior to release 10.0.14393.5850
• Windows 10 Version 1607 for x64-based Systems prior to release 10.0.14393.5850
• Windows 10 Version 1607 for 32-bit Systems prior to release 10.0.14393.5850
• Windows 10 for x64-based Systems prior to release 10.0.10240.19869
• Windows 10 for 32-bit Systems prior to release 10.0.10240.19869
• Windows 10 Version 22H2 for 32-bit Systems prior to release 10.0.19045.2846
• Windows 10 Version 22H2 for ARM64-based Systems prior to release 10.0.19045.2846
• Windows 10 Version 22H2 for x64-based Systems prior to release 10.0.19045.2846
• Windows 11 Version 22H2 for x64-based Systems prior to release 10.0.22621.1555
• Windows 11 Version 22H2 for ARM64-based Systems prior to release 10.0.22621.1555
• Windows 10 Version 21H2 for x64-based Systems prior to release 10.0.19044.2846
• Windows 10 Version 21H2 for ARM64-based Systems prior to release 10.0.19044.2846
• Windows 10 Version 21H2 for 32-bit Systems prior to release 10.0.19044.2846
• Windows 11 version 21H2 for ARM64-based Systems prior to release 10.0.22000.1817
• Windows 11 version 21H2 for x64-based Systems prior to release 10.0.22000.1817
• Windows 10 Version 20H2 for ARM64-based Systems prior to release 10.0.19042.2846
• Windows 10 Version 20H2 for 32-bit Systems prior to release 10.0.19042.2846
• Windows 10 Version 20H2 for x64-based Systems prior to release 10.0.19042.2846
• Windows Server 2022 (Server Core installation) prior to release 10.0.20348.1668
• Windows Server 2022 prior to release 10.0.20348.1668
• Windows Server 2019 (Server Core installation) prior to release 10.0.17763.4252
• Windows Server 2019 prior to release 10.0.17763.4252
• Windows 10 Version 1809 for ARM64-based Systems prior to release 10.0.17763.4252
• Windows 10 Version 1809 for x64-based Systems prior to release 10.0.17763.4252
• Windows 10 Version 1809 for 32-bit Systems prior to release 10.0.17763.4252

Remediation

Official Fix & Remediation Guidance

Customers are advised to update to the latest version of any impacted products. Use Microsoft Automatic Update to apply the appropriate patch for your system, or the Microsoft Security Update Guide to search for available patches. See references for direct links.

Fixed versions:

• Windows Server 2012 R2 (Server Core installation) release 6.3.9600.20919
• Windows Server 2012 R2 (Server Core installation) release 6.3.9600.20919
• Windows Server 2012 R2 release 6.3.9600.20919
• Windows Server 2012 R2 release 6.3.9600.20919
• Windows Server 2012 (Server Core installation) release 6.2.9200.24216
• Windows Server 2012 (Server Core installation) release 6.2.9200.24216
• Windows Server 2012 release 6.2.9200.24216
• Windows Server 2012 release 6.2.9200.24216
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) release 6.1.7601.26466
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) release 6.1.7601.26466
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 release 6.1.7601.26466
• Windows Server 2008 R2 for x64-based Systems Service Pack 1 release 6.1.7601.26466
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) release 6.0.6003.22015
• Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) release 6.0.6003.22015
• Windows Server 2008 for x64-based Systems Service Pack 2 release 6.0.6003.22015
• Windows Server 2008 for x64-based Systems Service Pack 2 release 6.0.6003.22015
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) release 6.0.6003.22015
• Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) release 6.0.6003.22015
• Windows Server 2008 for 32-bit Systems Service Pack 2 release 6.0.6003.22015
• Windows Server 2008 for 32-bit Systems Service Pack 2 release 6.0.6003.22015
• Windows Server 2016 (Server Core installation) release 10.0.14393.5850
• Windows Server 2016 release 10.0.14393.5850
• Windows 10 Version 1607 for x64-based Systems release 10.0.14393.5850
• Windows 10 Version 1607 for 32-bit Systems release 10.0.14393.5850
• Windows 10 for x64-based Systems release 10.0.10240.19869
• Windows 10 for 32-bit Systems release 10.0.10240.19869
• Windows 10 Version 22H2 for 32-bit Systems release 10.0.19045.2846
• Windows 10 Version 22H2 for ARM64-based Systems release 10.0.19045.2846
• Windows 10 Version 22H2 for x64-based Systems release 10.0.19045.2846
• Windows 11 Version 22H2 for x64-based Systems release 10.0.22621.1555
• Windows 11 Version 22H2 for ARM64-based Systems release 10.0.22621.1555
• Windows 10 Version 21H2 for x64-based Systems release 10.0.19044.2846
• Windows 10 Version 21H2 for ARM64-based Systems release 10.0.19044.2846
• Windows 10 Version 21H2 for 32-bit Systems release 10.0.19044.2846
• Windows 11 version 21H2 for ARM64-based Systems release 10.0.22000.1817
• Windows 11 version 21H2 for x64-based Systems release 10.0.22000.1817
• Windows 10 Version 20H2 for ARM64-based Systems release 10.0.19042.2846
• Windows 10 Version 20H2 for 32-bit Systems release 10.0.19042.2846
• Windows 10 Version 20H2 for x64-based Systems release 10.0.19042.2846
• Windows Server 2022 (Server Core installation) release 10.0.20348.1668
• Windows Server 2022 release 10.0.20348.1668
• Windows Server 2019 (Server Core installation) release 10.0.17763.4252
• Windows Server 2019 release 10.0.17763.4252
• Windows 10 Version 1809 for ARM64-based Systems release 10.0.17763.4252
• Windows 10 Version 1809 for x64-based Systems release 10.0.17763.4252
• Windows 10 Version 1809 for 32-bit Systems release 10.0.17763.4252

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

Temporary Mitigation & Workarounds

(The vendor has not advised of any alternative temporary mitigation or workarounds)

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

References:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28229
• https://whereisk0shl.top/post/isolate-me-from-sandbox-explore-elevation-of-privilege-of-cng-key-isolation

Category: Privilege Escalation

Detection

AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

No software to download or install.

Contact us or call us 0113 887 8380