CVE-2023-38152 Overview
CVE-2023-38152 is an information disclosure vulnerability in the Microsoft Windows DHCP (Dynamic Host Configuration Protocol) Server Service. An unauthenticated attacker on an adjacent network segment can send a specially crafted Remote Procedure Call (RPC) request to a vulnerable DHCP server and retrieve sensitive information from server memory. The flaw affects every supported edition of Windows Server from 2008 through 2022. Microsoft addressed the issue in the September 2023 Patch Tuesday release.
Critical Impact
Remote, unauthenticated attackers can disclose confidential DHCP server data without user interaction, exposing network configuration intelligence that supports follow-on attacks.
Affected Products
- Microsoft Windows Server 2008 SP2 and Windows Server 2008 R2 SP1 (x86, x64)
- Microsoft Windows Server 2012 and Windows Server 2012 R2
- Microsoft Windows Server 2016, Windows Server 2019, and Windows Server 2022
Discovery Timeline
- 2023-09-12 - CVE-2023-38152 published to the National Vulnerability Database (NVD)
- 2023-09-12 - Microsoft releases security update addressing the vulnerability
- 2024-11-21 - Last updated in the NVD database
Technical Details for CVE-2023-38152
Vulnerability Analysis
The vulnerability resides in the Windows DHCP Server Service, the component responsible for issuing IP leases and managing scope configuration data. The service exposes a management interface over RPC. When that interface processes a malformed client request, it reads beyond the intended buffer boundary and returns the resulting bytes to the caller. The flaw maps to two weakness categories: CWE-126 (Buffer Over-read) and CWE-668 (Exposure of Resource to Wrong Sphere). Because no authentication or user interaction is required, the attack surface includes any system that can route DHCP management traffic to the target server.
The exposure is limited to confidentiality. Successful exploitation does not modify scope configuration, terminate the service, or grant code execution. However, the leaked memory can contain DHCP scope parameters, option values, reservation details, or residual heap content that aids reconnaissance against the broader Windows environment.
Root Cause
The DHCP Server Service does not correctly validate the length parameter associated with a specific RPC structure. The handler trusts attacker-supplied size data and reads past the boundary of an allocated buffer. This out-of-bounds read returns adjacent process memory to the requester.
Attack Vector
An attacker sends a crafted RPC request to the DHCP Server Service over the network. The attack does not require credentials, prior code execution, or social engineering. Repeated requests can be issued to harvest additional memory contents. Refer to the Microsoft Security Update for CVE-2023-38152 for the authoritative technical description.
Detection Methods for CVE-2023-38152
Indicators of Compromise
- Unusual volumes of RPC traffic directed at TCP port 135 and dynamic high ports on Windows DHCP servers from non-administrative hosts.
- DHCP Server Service event log entries showing malformed or unexpected management RPC calls.
- Outbound responses from DHCP servers containing oversized payloads relative to the requesting operation.
Detection Strategies
- Hunt for RPC connections to DHCP servers originating from workstation subnets or systems that have no operational reason to manage DHCP.
- Correlate Windows Security event IDs around RPC endpoint mapper activity with DHCP service process (dhcpserver.exe) telemetry.
- Apply behavioral identification on Windows Servers to flag anomalous reads from DHCP service memory regions using endpoint detection and response (EDR) telemetry such as that produced by Singularity Endpoint.
Monitoring Recommendations
- Centralize DHCP service logs and RPC activity in a SIEM or data lake for longitudinal review.
- Alert on first-seen source IPs invoking DHCP management RPC interfaces.
- Track patch state of all Windows DHCP servers and flag any host that has not received the September 2023 cumulative update.
How to Mitigate CVE-2023-38152
Immediate Actions Required
- Apply the September 2023 Microsoft security update to every Windows Server running the DHCP Server Service.
- Inventory all systems with the DHCP role enabled, including legacy Windows Server 2008 and 2012 hosts that may require Extended Security Updates.
- Restrict management access to DHCP servers to dedicated administrative subnets.
Patch Information
Microsoft published fixed builds for each affected Windows Server release on September 12, 2023. Administrators should consult the Microsoft Security Update Guide entry for CVE-2023-38152 to identify the appropriate KB article for each operating system version and install it through Windows Update, WSUS, or the Microsoft Update Catalog.
Workarounds
- Block inbound RPC traffic (TCP 135 and ephemeral RPC ports) to DHCP servers from untrusted network segments using host or perimeter firewalls.
- Disable the DHCP Server Service on hosts where the role is not required.
- Segment DHCP infrastructure so that only authorized management workstations can reach the RPC interface.
# Example: restrict DHCP server RPC exposure with Windows Firewall
New-NetFirewallRule -DisplayName "Restrict DHCP RPC" `
-Direction Inbound `
-Protocol TCP `
-LocalPort 135 `
-RemoteAddress 10.10.20.0/24 `
-Action Allow
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
