CVE-2023-36012: Windows Server 2008 DHCP Vulnerability

CVE-2023-36012 Overview

CVE-2023-36012 is an information disclosure vulnerability in the Microsoft Windows Dynamic Host Configuration Protocol (DHCP) Server Service. Microsoft published the advisory on December 12, 2023, affecting multiple Windows Server releases from 2008 through 2022. An unauthenticated attacker on the network can send crafted requests to a DHCP server and retrieve memory contents that should not be exposed. The root cause maps to [CWE-908: Use of Uninitialized Resource], indicating the service can return uninitialized memory to a remote requester. The flaw does not enable code execution or modification of data, but it can leak fragments of server memory useful for follow-on attacks.

Critical Impact
A network-adjacent attacker can read uninitialized memory from Windows DHCP Server, potentially exposing sensitive runtime data without requiring authentication or user interaction.

Affected Products

Microsoft Windows Server 2008 SP2 and Windows Server 2008 R2 SP1 (x64)
Microsoft Windows Server 2012 and Windows Server 2012 R2
Microsoft Windows Server 2016, Windows Server 2019, and Windows Server 2022

Discovery Timeline

2023-12-12 - CVE-2023-36012 published to NVD by Microsoft
2024-11-21 - Last updated in NVD database

Technical Details for CVE-2023-36012

Vulnerability Analysis

The DHCP Server Service implements the DHCP protocol (RFC 2131) on Windows Server, allocating IP addresses and option data to clients on the local network. CVE-2023-36012 is an information disclosure flaw in this service. When the service processes specific request paths, it returns response data containing uninitialized memory contents from the server process.

The vulnerability is mapped to [CWE-908: Use of Uninitialized Resource]. This class of bug occurs when a buffer is allocated but not fully zeroed or populated before being transmitted to a remote requester. Leaked memory may contain configuration values, internal pointers, or fragments of previous DHCP transactions, which can aid reconnaissance against the affected host.

Exploitation requires network reachability to the DHCP service but no credentials and no user interaction. Confidentiality is affected; integrity and availability are not. The EPSS probability for this CVE is approximately 0.9%.

Root Cause

The service emits response buffers that contain uninitialized bytes from process memory. Without explicit zeroing or strict length tracking on the response path, stale data resident in the buffer is sent to the requester.

Attack Vector

The attacker sends crafted DHCP messages to a vulnerable Windows DHCP server over the network. DHCP traffic uses UDP ports 67 and 68 and is typically reachable from any host on the same broadcast domain. Public technical proof-of-concept code is not available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

No verified exploitation code is published. See the Microsoft Security Update CVE-2023-36012 advisory for vendor technical details.

Detection Methods for CVE-2023-36012

Indicators of Compromise

Anomalous volumes of DHCP request traffic to UDP port 67 from a single source, particularly malformed or repeated INFORM, REQUEST, or DISCOVER messages.
Unexpected source addresses outside the normal client population issuing DHCP queries to a Windows DHCP server.
DHCP responses with abnormal option payload sizes recorded by network capture tooling.

Detection Strategies

Enable DHCP audit logging on Windows Server and forward DhcpSrvLog-*.log entries to a central log platform for analysis.
Inspect DHCP traffic with network sensors and alert on malformed option fields or rapid bursts of requests from non-client hosts.
Correlate DHCP server event logs with endpoint telemetry to identify hosts probing infrastructure services.

Monitoring Recommendations

Baseline normal DHCP request volume per source and alert on deviations exceeding the baseline.
Monitor for the presence of the December 2023 cumulative update on all DHCP server roles and flag unpatched hosts.
Restrict DHCP server reachability with network segmentation and monitor traffic crossing those boundaries.

How to Mitigate CVE-2023-36012

Immediate Actions Required

Install the December 2023 Microsoft security update on all servers running the DHCP Server role across Windows Server 2008 through 2022.
Inventory all DHCP server instances, including secondary and failover partners, and confirm patch status on each.
Where patching is delayed, restrict UDP 67/68 traffic to the DHCP server to authorized network segments only.

Patch Information

Microsoft addressed CVE-2023-36012 in the December 12, 2023 security updates. Refer to the Microsoft Security Update CVE-2023-36012 advisory for the build numbers and KB articles that apply to each affected Windows Server version.

Workarounds

Apply network access control lists on routers and firewalls to limit which hosts can reach the DHCP service.
Disable the DHCP Server role on hosts that do not require it and rely on a hardened, patched DHCP instance.
Enable DHCP audit logging and forward logs off-host so disclosure attempts can be investigated after the fact.

bash

# Verify DHCP server patch level and audit logging on Windows Server
Get-HotFix | Sort-Object -Property InstalledOn -Descending | Select-Object -First 10
Get-DhcpServerAuditLog
Get-DhcpServerInDC