CVE-2023-36705 Overview
CVE-2023-36705 is a Windows Installer Elevation of Privilege Vulnerability that affects a wide range of Microsoft Windows operating systems, including Windows 10, Windows 11, and Windows Server editions. This vulnerability allows a local attacker with low privileges to elevate their permissions to gain full system-level access on the affected system.
Critical Impact
A local attacker who successfully exploits this vulnerability could gain SYSTEM-level privileges, enabling complete compromise of the affected Windows system including the ability to install programs, modify data, and create new accounts with full user rights.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 21H2, 22H2, 23H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, and 2022 23H2
Discovery Timeline
- 2023-11-14 - CVE-2023-36705 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-36705
Vulnerability Analysis
This elevation of privilege vulnerability exists within the Windows Installer component (msiexec.exe), a core Windows service responsible for installing, maintaining, and removing software packages. The vulnerability is classified under CWE-59, which relates to improper link resolution before file access, commonly known as a symlink attack or link following vulnerability.
The vulnerability requires local access to exploit, meaning an attacker must first gain a foothold on the target system through another means such as phishing, social engineering, or exploiting a different vulnerability. Once local access is obtained, an attacker with standard user privileges can leverage this flaw to escalate to SYSTEM privileges without requiring user interaction.
Root Cause
The root cause of CVE-2023-36705 lies in improper handling of symbolic links (symlinks) during Windows Installer operations. The Windows Installer service runs with elevated SYSTEM privileges and performs file operations during software installation processes. When the service follows symbolic links without proper validation, an attacker can manipulate these links to redirect file operations to arbitrary locations on the filesystem.
This CWE-59 weakness occurs when the Windows Installer does not properly verify that a file path is legitimate before performing privileged operations, allowing an attacker to craft malicious symbolic links that cause the installer to write to or modify files in protected system locations.
Attack Vector
The attack vector for CVE-2023-36705 is local, requiring the attacker to have authenticated access to the target system with low-level privileges. The exploitation follows this general pattern:
- The attacker creates a carefully crafted symbolic link pointing from a user-controllable location to a sensitive system file or directory
- The attacker triggers a Windows Installer operation that interacts with the malicious symlink
- The Windows Installer service, running as SYSTEM, follows the symlink and performs file operations on the target location
- This allows the attacker to overwrite system files, inject malicious code into protected locations, or otherwise manipulate the system to gain elevated privileges
The attack does not require user interaction and can be performed reliably once an attacker has established local access to the vulnerable system.
Detection Methods for CVE-2023-36705
Indicators of Compromise
- Suspicious symbolic link creation in user-writable directories that point to system-protected locations
- Unexpected Windows Installer (msiexec.exe) process activity with unusual file access patterns
- Evidence of privilege escalation through audit logs showing standard users gaining SYSTEM-level access
- Modification of protected system files by the Windows Installer service outside of legitimate software installation
Detection Strategies
- Monitor Windows Security event logs for Event ID 4688 (process creation) with msiexec.exe followed by unexpected child processes running as SYSTEM
- Implement file integrity monitoring on critical Windows system directories to detect unauthorized modifications
- Configure Sysmon to track symbolic link creation (Event ID 11) and correlate with Windows Installer activity
- Deploy endpoint detection rules that identify symlink creation patterns targeting Windows Installer temporary directories
Monitoring Recommendations
- Enable Windows Process Creation auditing and PowerShell Script Block logging for comprehensive visibility
- Utilize SentinelOne's behavioral AI to detect anomalous privilege escalation patterns associated with Windows Installer abuse
- Review Application event logs for Windows Installer errors that may indicate exploitation attempts
- Monitor for unusual file operations in %TEMP%, %WINDIR%\Installer, and other directories used by Windows Installer
How to Mitigate CVE-2023-36705
Immediate Actions Required
- Apply the Microsoft security update from the November 2023 Patch Tuesday release immediately across all affected Windows systems
- Prioritize patching for systems accessible to multiple users or those in higher-risk network segments
- Conduct an inventory of all Windows systems to identify unpatched instances vulnerable to CVE-2023-36705
- Implement network segmentation to limit lateral movement opportunities for attackers who may have compromised standard user accounts
Patch Information
Microsoft has released security updates addressing CVE-2023-36705 as part of the November 2023 security update cycle. Organizations should obtain the appropriate patches from the Microsoft Security Update Guide for their specific Windows versions. The patches address the improper symlink handling in the Windows Installer service.
System administrators should deploy these updates through Windows Update, Windows Server Update Services (WSUS), Microsoft Endpoint Configuration Manager, or other enterprise patch management solutions. Given the broad scope of affected products spanning Windows 10, Windows 11, and multiple Windows Server versions, a systematic approach to deployment is recommended.
Workarounds
- Restrict local access to systems where possible, limiting the attack surface for this local privilege escalation vulnerability
- Implement the principle of least privilege, ensuring users operate with the minimum permissions necessary for their roles
- Monitor and restrict symbolic link creation capabilities using Windows Group Policy where operationally feasible
- Deploy application control policies to limit which applications can interact with the Windows Installer service
# PowerShell command to check Windows Installer service status and configuration
Get-Service -Name msiserver | Select-Object Name, Status, StartType
Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" -ErrorAction SilentlyContinue
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
