CVE-2023-21768 Overview
CVE-2023-21768 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock (afd.sys). The flaw allows a local, authenticated attacker to gain SYSTEM-level privileges on affected Windows 11 and Windows Server 2022 systems. Microsoft addressed this issue in the January 2023 Patch Tuesday release.
The vulnerability is associated with [CWE-822: Untrusted Pointer Dereference], reflecting improper handling of user-supplied pointers within a kernel driver. Public exploit code targeting this issue circulated shortly after disclosure, and the EPSS score of 74.422% (98.872 percentile) indicates a high likelihood of exploitation activity.
Critical Impact
Local attackers with low-privileged access can escalate to SYSTEM by leveraging an arbitrary kernel write primitive in afd.sys, leading to full host compromise.
Affected Products
- Microsoft Windows 11 (21H2 and 22H2, x64 and ARM64)
- Microsoft Windows Server 2022
- Windows Ancillary Function Driver for WinSock (afd.sys)
Discovery Timeline
- 2023-01-10 - CVE-2023-21768 published to NVD and addressed in Microsoft's January 2023 security updates
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-21768
Vulnerability Analysis
The vulnerability resides in afd.sys, the kernel-mode driver that backs the Windows Sockets (WinSock) interface. The driver processes I/O Request Packets (IRPs) issued by user-mode applications when interacting with sockets. During the handling of a specific AFD IOCTL, the driver dereferences a user-controlled pointer without validating that it resides in user-mode memory.
An attacker who controls the input buffer can supply a kernel-mode address. The driver subsequently writes attacker-influenced data to that address, producing an arbitrary kernel write primitive. Combined with token replacement or process structure manipulation, this primitive yields privilege escalation to SYSTEM.
The issue requires only local access and low privileges. It does not require user interaction, and exploitation impacts confidentiality, integrity, and availability of the host.
Root Cause
The root cause is an untrusted pointer dereference [CWE-822] within an afd.sys IOCTL handler. The driver fails to validate that the destination pointer provided by the caller is a user-mode address before issuing a write. Calling ProbeForWrite or equivalent validation routines would have prevented the kernel from writing to attacker-chosen kernel addresses.
Attack Vector
Exploitation requires local code execution in the context of any authenticated user. The attacker opens a handle to the AFD device (\Device\Afd), constructs a malformed input structure containing a kernel-mode target address, and issues a DeviceIoControl call. The driver then writes a controlled value to that address. Public proof-of-concept code demonstrates targeting the Token field of the EPROCESS structure or the PreviousMode byte of the attacker's KTHREAD to elevate privileges.
No verified exploit code is reproduced here. Refer to the Microsoft CVE-2023-21768 Update for vendor guidance and patch details.
Detection Methods for CVE-2023-21768
Indicators of Compromise
- Unexpected child processes of low-privileged users running with SYSTEM integrity, particularly cmd.exe, powershell.exe, or unsigned binaries.
- Process handles opened to \Device\Afd followed by abnormal NtDeviceIoControlFile calls from non-network applications.
- Modification of process token fields, including duplicated SYSTEM tokens appearing in user-launched processes.
Detection Strategies
- Monitor for token manipulation patterns where a non-elevated process suddenly acquires a SYSTEM token, a hallmark of token-stealing exploits built on kernel write primitives.
- Hunt for processes that open \Device\Afd outside of expected networking applications and issue uncommon IOCTL codes.
- Correlate Sysmon Event ID 1 (process creation) with Event ID 10 (process access) to surface privilege escalation chains from standard user contexts.
Monitoring Recommendations
- Enable Windows Defender Exploit Guard and kernel-mode code integrity (HVCI) where supported to constrain post-exploitation behavior.
- Forward Sysmon, Windows Security, and EDR telemetry to a central data lake and alert on parent-child mismatches indicating privilege jumps.
- Track patch compliance for the January 2023 Windows cumulative updates across all Windows 11 and Server 2022 endpoints.
How to Mitigate CVE-2023-21768
Immediate Actions Required
- Apply the January 2023 Windows security updates from Microsoft to all affected Windows 11 21H2, 22H2, and Windows Server 2022 systems.
- Audit endpoint inventories to identify hosts missing the cumulative update and prioritize remediation on multi-user systems, terminal servers, and developer workstations.
- Restrict local logon rights and remove unnecessary interactive access for standard users to reduce the local attack surface.
Patch Information
Microsoft released fixes through the January 10, 2023 cumulative updates. Consult the Microsoft CVE-2023-21768 Update advisory for KB numbers corresponding to each affected build. Installing the cumulative update replaces the vulnerable afd.sys driver with a version that validates user-supplied pointers.
Workarounds
- No supported workaround exists that disables afd.sys without breaking Windows networking; patching is the only complete remediation.
- Enforce application allowlisting via Windows Defender Application Control or AppLocker to block execution of unauthorized binaries that could deliver exploit code.
- Apply least-privilege policies and limit local administrative groups to reduce blast radius if exploitation occurs prior to patching.
# Verify patch level on Windows hosts (PowerShell)
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10
# Confirm afd.sys file version post-patch
Get-Item C:\Windows\System32\drivers\afd.sys | Select-Object VersionInfo
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
