CVE-2023-21708 Overview
CVE-2023-21708 is a remote code execution vulnerability in the Microsoft Windows Remote Procedure Call (RPC) Runtime. Microsoft disclosed the flaw in March 2023 as part of its monthly Patch Tuesday release. An unauthenticated attacker can send a specially crafted RPC call to a vulnerable Windows host to trigger code execution in the context of the RPC service.
The weakness is classified under [CWE-191] (Integer Underflow) and affects nearly two decades of Windows client and server releases. No user interaction or prior authentication is required for exploitation.
Critical Impact
An unauthenticated network attacker can achieve remote code execution against any reachable Windows host with TCP port 135 (and dynamic RPC endpoints) exposed, including domain controllers and member servers.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 20H2, 21H2, 22H2)
- Microsoft Windows 11 (21H2, 22H2)
- Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022
Discovery Timeline
- 2023-03-14 - CVE-2023-21708 published to the National Vulnerability Database
- 2023-03-14 - Microsoft releases security update for CVE-2023-21708
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-21708
Vulnerability Analysis
The vulnerability resides in the Windows RPC Runtime, the core component that handles serialization, transport, and dispatch of RPC requests across Windows services. RPC is exposed over TCP port 135 and over dynamic high ports negotiated by the endpoint mapper. Many core Windows services, including the Service Control Manager, Task Scheduler, and DCOM components, rely on the RPC Runtime.
Microsoft classifies the root cause under [CWE-191], an integer underflow condition. The flaw occurs when the RPC Runtime processes attacker-controlled length or size fields during request parsing. A crafted value can wrap below zero and produce an undersized allocation or an out-of-bounds memory operation on a larger downstream buffer.
The EPSS model places this vulnerability above the 94th percentile, reflecting its broad attack surface and the historical interest in RPC bugs as worm-ready primitives.
Root Cause
The integer underflow stems from arithmetic on a length or count field that is not validated against a minimum bound before being used as a buffer size or loop counter. When the underflow produces a near-UINT_MAX value, subsequent memory copies or pointer arithmetic read or write outside the allocated structure, corrupting RPC Runtime memory.
Attack Vector
An attacker sends a specially crafted RPC request to TCP port 135 or any reachable RPC endpoint on the target. Because authentication is not required and the RPC Runtime processes the malformed field before higher-level access checks, the attacker reaches the vulnerable code path remotely. Successful exploitation yields code execution at the privilege level of the affected RPC service. See the Microsoft Security Update Guide for CVE-2023-21708 for vendor technical details.
Detection Methods for CVE-2023-21708
Indicators of Compromise
- Unexpected child processes spawned by svchost.exe hosting RPC services (RpcSs, RpcEptMapper).
- Crashes or repeated restarts of RPC-hosting svchost.exe instances logged in the Application or System event logs.
- Inbound TCP connections to port 135 from untrusted networks or unusual internal hosts.
- Outbound network connections initiated by RPC service processes shortly after inbound RPC traffic.
Detection Strategies
- Hunt for anomalous process lineage where svchost.exe -k RPCSS spawns interactive shells (cmd.exe, powershell.exe) or LOLBins.
- Alert on Windows Error Reporting and crash dumps for RPC Runtime modules (rpcrt4.dll).
- Correlate inbound port 135 traffic with subsequent privileged process activity on the same host.
Monitoring Recommendations
- Enable Sysmon Event IDs 1, 3, and 11 to capture process creation, network, and file events tied to RPC service processes.
- Forward Windows Security and System event logs to a centralized analytics platform for cross-host correlation.
- Monitor perimeter and east-west traffic for TCP/135 exposure that should not exist between segments.
How to Mitigate CVE-2023-21708
Immediate Actions Required
- Apply the March 2023 Microsoft security update for all affected Windows client and server versions.
- Block TCP port 135 at the network perimeter and restrict it internally to systems that legitimately require RPC.
- Inventory hosts exposing RPC to untrusted networks and prioritize patching those systems first.
- Reboot patched systems to ensure the updated rpcrt4.dll is loaded by all RPC-hosting processes.
Patch Information
Microsoft released fixes for CVE-2023-21708 in the March 14, 2023 security updates. Refer to the Microsoft Security Update Guide for CVE-2023-21708 for the specific KB article and build numbers for each affected Windows release.
Workarounds
- Block TCP port 135 inbound at perimeter firewalls and host-based firewalls where RPC is not required.
- Enforce IPsec or Windows Defender Firewall rules to allow RPC only between explicitly trusted hosts.
- Segment management networks so that RPC endpoints on servers are not reachable from user workstations or the internet.
# Example: block inbound TCP/135 with Windows Defender Firewall (PowerShell)
New-NetFirewallRule -DisplayName "Block Inbound RPC EPM (CVE-2023-21708)" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 135 `
-Action Block `
-Profile Any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
