CVE-2023-21674 – Actively Exploited ALPC Vulnerability

Photo of author
Written By Hayk Chukhuryan
Technologist with a passion for system design, cyber security, and OPSEC. I love solving interesting problems.

On the first Patch Tuesday of 2023, Microsoft fixed a whopping total of 98 flaws. Among them is a publicly disclosed SMB Witness Service zero-day CVE-2023-21549, and an actively exploited EoP vulnerability tracked under CVE-2023-21674. With active exploitation witnessed in the wild, the latter commands special consideration.

Discovered by Avast malware researchers Jan Vojtěšek, Milánek, and Przemek Gmerek, we’ll dissect how it operates, and what you should do to protect your network against this ALPC vulnerability.

What is an ALPC?

An Advanced Local Procedure Call (ALPC) is an inter-process communication component. It is the mechanism in which Windows depends on to facilitate messages from one process to another on the same host. It is an integral part of local remote procedure calls (RPC), Winlogon, LSASS, and more.

While the low-level details of this attack have not been disclosed, we do know that a successful exploit requires an attacker to have accomplished an initial infection on its target. The flaw is then chained to a bug present in Chromium-based web browsers to break out of the sandbox and gain SYSTEM level privileges. The full exploit chain is currently unknown.

“It allows a local attacker to escalate privileges from sandboxed execution inside Chromium to kernel-level execution and full SYSTEM privileges. Bugs of this type are often paired with some form of code exaction to deliver malware or ransomware. Considering this was reported to Microsoft by researchers from Avast, that scenario seems likely here.”

Dustin Childs
Trend Micro
The attack allows the attacker to bypass the browser sandbox and reach the kernel level

Given the popularity of Chromium browsers, this risk affects millions of organizations; paving the way for ransomware, data theft, and other forms of malware. Luckily, modern browsers have auto-update functionality, which mitigates one part of this threat, as explained by security researcher Satnam Narang. With that said, make sure you restart your browsers regularly for these updates to take effect.

“The likelihood of future widespread exploitation of an exploit chain like this is limited due to auto-update functionality used to patch browsers.”

Satnam Narang

Versions affected

  • Windows 8
  • Windows 10
  • Windows 11
  • Windows Server 2016
  • Windows Server 2019
  • Windows Server 2022

What to do about CVE-2023-21674

Make sure your Chromium-based browsers (Google Chrome, Microsoft Edge, and Brave) are up to date.

Install the latest Windows update for your system. It is available through the following channels:

Leave a Comment