CVE-2023-21767 Overview
CVE-2023-21767 is a Windows Overlay Filter Elevation of Privilege Vulnerability that affects a wide range of Microsoft Windows operating systems. This vulnerability exists within the Windows Overlay Filter component, a kernel-level file system filter driver that enables layered file system operations. A successful exploit allows an authenticated local attacker to escalate their privileges to SYSTEM level, potentially gaining complete control over the affected system.
Critical Impact
An attacker who successfully exploits this vulnerability can elevate privileges from a low-privileged user account to SYSTEM, enabling full administrative control over the Windows operating system including access to sensitive data, installation of malicious software, and lateral movement across the network.
Affected Products
- Microsoft Windows 10 (all versions including 1607, 1809, 20H2, 21H2, 22H2)
- Microsoft Windows 11 (21H2, 22H2 on both x64 and ARM64 architectures)
- Microsoft Windows 8.1 and Windows RT 8.1
- Microsoft Windows Server 2012 and 2012 R2
- Microsoft Windows Server 2016
- Microsoft Windows Server 2019
- Microsoft Windows Server 2022
Discovery Timeline
- January 10, 2023 - CVE-2023-21767 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-21767
Vulnerability Analysis
The Windows Overlay Filter (WOF) is a kernel-mode file system filter driver that provides functionality for Windows Container Isolation and other layered file system operations. This vulnerability stems from improper input validation (CWE-20) within the overlay filter driver, allowing a local attacker with low-level privileges to manipulate the driver's behavior and escalate to SYSTEM privileges.
The vulnerability requires local access to the target system and does not require user interaction for exploitation. Once exploited, an attacker gains the ability to compromise the confidentiality, integrity, and availability of the affected system. The local attack vector limits remote exploitation scenarios but remains a significant threat in environments where attackers have already gained initial access through other means.
Root Cause
The root cause of CVE-2023-21767 lies in improper input validation within the Windows Overlay Filter driver. The vulnerability is classified under CWE-20 (Improper Input Validation), indicating that the driver fails to properly sanitize or validate certain inputs before processing them. This improper validation allows an attacker to craft malicious inputs that the driver processes incorrectly, leading to a privilege escalation condition.
Attack Vector
The attack vector for this vulnerability is local, meaning an attacker must have existing access to the target system with at least low-level privileges. The attack complexity is low, requiring no special conditions or race conditions to exploit. The typical attack scenario involves:
- An attacker gains initial access to a Windows system with a low-privileged user account
- The attacker executes a malicious application or script that interacts with the Windows Overlay Filter driver
- By sending specially crafted requests to the driver, the attacker triggers the improper input validation flaw
- The vulnerability allows the attacker to elevate privileges to SYSTEM level
- With SYSTEM privileges, the attacker has full control over the operating system
The vulnerability does not require user interaction, making it particularly dangerous in automated attack chains where an initial compromise is followed by privilege escalation.
Detection Methods for CVE-2023-21767
Indicators of Compromise
- Unusual process creation events where low-privileged processes spawn high-privileged child processes
- Suspicious interactions with the Windows Overlay Filter driver (wof.sys) from non-standard applications
- Unexpected privilege changes in Windows Security Event logs (Event IDs 4672, 4673)
- Anomalous file system filter driver activity in kernel-mode debugging or ETW traces
Detection Strategies
- Monitor Windows Security Event logs for privilege escalation indicators, particularly Event ID 4672 (Special Privileges Assigned to New Logon)
- Deploy endpoint detection rules that identify suspicious process hierarchies where standard user processes gain SYSTEM privileges
- Implement application whitelisting to prevent unauthorized executables from interacting with kernel-mode drivers
- Use SentinelOne's behavioral AI to detect anomalous privilege escalation patterns in real-time
Monitoring Recommendations
- Enable enhanced Windows Security auditing for privilege use and process creation events
- Configure SentinelOne agents to alert on kernel-mode driver exploitation attempts
- Establish baseline behavior for system processes and alert on deviations
- Monitor for unusual wof.sys driver load events or configuration changes
How to Mitigate CVE-2023-21767
Immediate Actions Required
- Apply the Microsoft security update released as part of the January 2023 Patch Tuesday immediately
- Prioritize patching for systems accessible by multiple users or exposed to potential insider threats
- Implement the principle of least privilege to minimize the number of users with local access
- Ensure SentinelOne agents are deployed and updated to detect exploitation attempts
Patch Information
Microsoft has released security updates addressing CVE-2023-21767 as part of their January 2023 security release cycle. Administrators should apply the appropriate patches for their Windows versions through Windows Update, WSUS, or SCCM. For detailed patch information and specific KB articles, refer to the Microsoft Security Update Guide for CVE-2023-21767.
Workarounds
- Restrict local login privileges to only necessary users and service accounts
- Implement application control policies to prevent unauthorized applications from executing
- Enable Windows Defender Credential Guard on supported systems to limit credential theft after privilege escalation
- Consider disabling the Windows Overlay Filter if not required for business operations (note: may impact Windows Container functionality)
# Verify Windows Overlay Filter driver status
sc query wof
# Check current patch level for Windows
wmic qfe list brief /format:table | findstr KB
# Review assigned special privileges in Security logs
wevtutil qe Security "/q:*[System[(EventID=4672)]]" /c:10 /f:text
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
