Fix Soon

CVE-2023-36036

Local Privilege Escalation in Microsoft Windows Cloud Files Mini Filter Driver

Summary

Microsoft Windows Cloud Files Mini Filter Driver (cldflt.sys) has a kernel memory corruption flaw in the code that processes cloud file operations. A local attacker with a low-privilege account can trigger the vulnerable path with crafted input and corrupt kernel memory. Successful exploitation can raise privileges to SYSTEM on the affected Windows host.

Why Fix Soon?

5/6

Domain user required (treated as pre-auth on internal network)

Internal deployment

No user interaction needed

Exploitable in default configuration

Active exploitation in the wild

High impact vulnerability

Exploitation Details

Type

LPE (Local Privilege Escalation)

Is exploitable with default configuration?

Yes

Is authentication needed?

Yes

domain user

PoC / Exploit

Impact

Escalate to SYSTEM privileges on the local Windows host.

Privilege Escalation

Exploitation Requirements

Authentication required (domain user)

Exploitation Process

An attacker first needs a low-privilege account on the target Windows system. They then run a crafted program or otherwise trigger cloud-file operations that reach cldflt.sys, sending malformed data to the mini-filter driver. The buggy kernel path corrupts heap memory, allowing the attacker to overwrite kernel structures and launch code as SYSTEM.

Detection Resources

Manual Detection

Script Detection

Scanner Detection

Tenable Nessus Qualys

Affected Software

Vendor:Microsoft

Product	Affected Versions
Microsoft Windows	Windows 10 1507 through 22H2; Windows 11 21H2 through 23H2; Windows Server 2008 SP2, 2008 R2 SP1, 2012, 2012 R2, 2016, 2019, 2022 (pre-November 2023 updates)

Description

Microsoft Windows is the desktop and server operating system platform used for end-user workstations, file servers, and enterprise application hosts.

Deployment:Typically internal

Protocol:Local

Ports:—

Affected ComponentCloud Files Mini Filter Driver (cldflt.sys) kernel driver that handles cloud file synchronization and placeholder file operations.

Cloud Files Mini Filter Driver (cldflt.sys) kernel driver that handles cloud file synchronization and placeholder file operations.

Enterprise Usage

Very Low

Low

Medium

High

Very High

Vendor Size:Big

Vendor Notifications

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36036

Remediation

Workaround

Not available

Patch

Not available

Update

Install the November 14, 2023 Microsoft security update for the affected Windows release; Microsoft fixed CVE-2023-36036 in the monthly cumulative updates for supported Windows 10, Windows 11, and Windows Server builds.

msrc.microsoft.com

Threat Intelligence

EPSS Score1.6%

Probability of exploitation in the next 30 days

EPSS Percentile82%

Worse than 82% of all CVEs

Last updated: Loading...

CISA KEV

Listed

Active Exploitation

Active

cisa.gov

Threat Actors

No known threat actors

Detection Rules1

Snort

OS-WINDOWS Microsoft Windows Cloud Files Mini Filter driver elevation of privilege attempt

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

CVSS Base Score

7.8

High

CVSS Vector (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attack Vector (AV)

Physical

Local

Adjacent

Network

Attack Complexity (AC)

High

Low

Privileges Required (PR)

High

Low

None

User Interaction (UI)

Required

None

Scope (S)

Unchanged

Changed

Confidentiality (C)

None

Low

High

Integrity (I)

None

Low

High

Availability (A)

None

Low

High

CWE:CWE-122 Heap-based Buffer OverflowCWE-787 Out-of-bounds Write

NVD:CVE-2023-36036

Version From:—

Version Upto:10.0.10240.20308, 10.0.10240.20308, 10.0.14393.6452, 10.0.14393.6452, 10.0.17763.5122, 10.0.17763.5122, 10.0.17763.5122, 10.0.19041.3693, 10.0.19041.3693, 10.0.19041.3693, 10.0.19045.3693, 10.0.19045.3693, 10.0.19045.3693, 10.0.22000.2600, 10.0.22000.2600, 10.0.22621.2715, 10.0.22621.2715, 10.0.22621.2715, 10.0.22621.2715, 10.0.14393.6452, 10.0.17763.5122, 10.0.20348.2113

Affected Software (CPE) (27)

•cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_10_1507:*:*:*:*:*:*:x86:*
•cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_10_1607:*:*:*:*:*:*:x86:*
•cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:arm64:*
•cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_10_1809:*:*:*:*:*:*:x86:*
•cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:arm64:*
•cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_10_21h2:*:*:*:*:*:*:x86:*
•cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:arm64:*
•cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_10_22h2:*:*:*:*:*:*:x86:*
•cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:arm64:*
•cpe:2.3:o:microsoft:windows_11_21h2:*:*:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:arm64:*
•cpe:2.3:o:microsoft:windows_11_22h2:*:*:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:arm64:*
•cpe:2.3:o:microsoft:windows_11_23h2:*:*:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:x86:*
•cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
•cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*
•cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*

Sources

Source	Article
msrc.microsoft.com	CVE-2023-36036 Security Update Guide
nvd.nist.gov	CVE-2023-36036 Detail
www.cisa.gov	CISA Adds Three Known Exploited Vulnerabilities to Catalog
threatprotect.qualys.com	Microsoft Patch Tuesday, November 2023 Security Update Review
www.tenable.com	CVE-2023-36036
www.rapid7.com	Patch Tuesday - November 2023
www.snort.org	Rule Document 1:62631

Priority History

Fix SoonLoading...

Initial analysis