CVE-2023-28229 Overview
CVE-2023-28229 is an elevation of privilege vulnerability in the Windows Cryptographic Next Generation (CNG) Key Isolation Service. This critical Windows component is responsible for isolating cryptographic keys and performing cryptographic operations in a secure process, protecting sensitive key material from unauthorized access. The vulnerability allows a local attacker with low-level privileges to escalate their access to higher privilege levels on the affected system.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Successful exploitation allows local privilege escalation, potentially granting attackers SYSTEM-level access to compromise the entire Windows environment.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 20H2, 21H2, 22H2)
- Microsoft Windows 11 (versions 21H2, 22H2)
- Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022
Discovery Timeline
- 2023-04-11 - CVE-2023-28229 published to NVD
- 2025-10-28 - Last updated in NVD database
Technical Details for CVE-2023-28229
Vulnerability Analysis
The Windows CNG Key Isolation Service (KeyIso) is a critical system service that runs with SYSTEM privileges and manages access to cryptographic private keys. This elevation of privilege vulnerability exists due to improper handling of sensitive data within the service, classified under CWE-591 (Sensitive Data Storage in Improperly Locked Memory).
The vulnerability requires local access to exploit, meaning an attacker must already have some level of access to the target system. While the attack complexity is considered high, successful exploitation allows the attacker to achieve confidentiality, integrity, and availability impacts on the target system. The local attack vector combined with the requirement for user interaction makes this vulnerability particularly dangerous in enterprise environments where attackers may already have established initial footholds.
Root Cause
The root cause of this vulnerability stems from improper memory handling within the CNG Key Isolation Service. Specifically, the vulnerability is related to sensitive data being stored in improperly locked memory (CWE-591), which can allow an attacker to access or manipulate cryptographic key material or exploit the memory management flaw to escalate privileges.
The CNG Key Isolation Service is designed to protect private keys by isolating cryptographic operations in a separate process (lsass.exe or a dedicated isolation process). The memory handling flaw undermines this security boundary, allowing a local attacker to bypass the intended privilege separation.
Attack Vector
The attack vector for CVE-2023-28229 is local, requiring the attacker to have existing access to the target system. The exploitation flow involves:
- The attacker gains initial access to the system with low-level privileges (standard user account)
- The attacker identifies a vulnerable Windows system running an unpatched version of the CNG Key Isolation Service
- By exploiting the memory handling vulnerability in the KeyIso service, the attacker can escalate privileges
- Successful exploitation grants elevated privileges, potentially achieving SYSTEM-level access
The vulnerability affects the lsaiso.exe process and related cryptographic service components. Since this vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, active exploitation has been observed in the wild, making immediate patching critical.
Detection Methods for CVE-2023-28229
Indicators of Compromise
- Unusual process creation from lsass.exe or lsaiso.exe with suspicious child processes
- Anomalous memory access patterns targeting the CNG Key Isolation Service (KeyIso)
- Unexpected privilege escalation events in Windows Security logs (Event ID 4672, 4673)
- Evidence of credential harvesting or cryptographic key access by non-authorized processes
Detection Strategies
- Monitor Windows Security Event Logs for privilege escalation attempts (Event IDs 4672, 4673, 4674)
- Deploy endpoint detection rules to identify suspicious interactions with lsass.exe and lsaiso.exe
- Implement behavioral analysis to detect anomalous process privilege changes
- Use SentinelOne's Singularity platform to detect exploitation attempts targeting Windows cryptographic services
Monitoring Recommendations
- Enable Windows Security Event logging with auditing for privilege use and process creation
- Configure alerts for any unexpected SYSTEM-level process spawning from user-context applications
- Implement file integrity monitoring on critical system binaries related to cryptographic services
- Leverage SentinelOne's autonomous response capabilities to automatically contain systems exhibiting exploitation behavior
How to Mitigate CVE-2023-28229
Immediate Actions Required
- Apply Microsoft's security update immediately as this vulnerability is actively exploited in the wild
- Prioritize patching for systems in CISA's mandated remediation timeframe due to KEV listing
- Implement network segmentation to limit lateral movement from potentially compromised endpoints
- Review and audit privileged accounts to minimize the attack surface for privilege escalation
Patch Information
Microsoft has released security updates to address this vulnerability as part of their April 2023 Patch Tuesday release. Detailed patch information and download links are available through the Microsoft Security Update Guide. Organizations should deploy these updates through their standard patch management processes, prioritizing this vulnerability due to its active exploitation status.
The vulnerability is also tracked in the CISA Known Exploited Vulnerabilities Catalog, which mandates federal agencies to remediate within specified timeframes. Private sector organizations should follow similar urgency in their remediation efforts.
Workarounds
- Restrict access to systems running vulnerable versions of Windows to trusted administrators only
- Implement the principle of least privilege to minimize the impact of potential compromise
- Enable Credential Guard on supported Windows versions to provide additional protection for cryptographic services
- Deploy application allowlisting to prevent unauthorized code execution that could leverage this vulnerability
# Enable Windows Defender Credential Guard via Group Policy
# Navigate to: Computer Configuration > Administrative Templates > System > Device Guard
# Enable "Turn On Virtualization Based Security"
# Set "Credential Guard Configuration" to "Enabled with UEFI lock"
# Alternatively, enable via registry (requires reboot):
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v EnableVirtualizationBasedSecurity /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v LsaCfgFlags /t REG_DWORD /d 1 /f
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
