CVE-2023-35313 in Windows
Summary
by MITRE • 07/11/2023
Windows Online Certificate Status Protocol (OCSP) SnapIn Remote Code Execution Vulnerability
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/05/2026
This vulnerability exists within the Windows Online Certificate Status Protocol ocsp snapin component which is part of the Microsoft management console framework. The flaw allows remote code execution when a malicious actor crafts specially crafted OCSP responses that trigger improper validation within the snapin module. This represents a critical security weakness in how Windows handles certificate status verification through the OCSP protocol, which is fundamental to secure communications and authentication processes.
The technical implementation of this vulnerability stems from inadequate input validation within the ocsp snapin's processing pipeline. When the system receives OCSP responses containing malformed data structures or unexpected parameter values, the parsing logic fails to properly sanitize inputs before processing them. This leads to memory corruption conditions that can be exploited to execute arbitrary code with the privileges of the affected service account. The vulnerability specifically manifests in how the snapin handles certificate revocation status information during management console operations.
The operational impact of this vulnerability is severe as it provides attackers with a pathway to gain remote code execution on systems running affected Windows versions. Attackers can leverage this flaw by constructing malicious OCSP responses that, when processed by the vulnerable snapin, enable them to execute commands on target systems. This creates opportunities for privilege escalation, lateral movement within networks, and potential full system compromise. The vulnerability affects Windows Server 2008 through Windows Server 2019, making it particularly dangerous in enterprise environments where certificate-based authentication is prevalent.
Mitigation strategies include applying the relevant security updates from Microsoft that patch the input validation flaws in the ocsp snapin component. Organizations should also implement network segmentation to limit access to systems running the affected management console components. Additionally, monitoring for unusual OCSP response patterns and implementing strict certificate validation policies can help detect exploitation attempts. Security professionals should consider disabling unnecessary management console extensions and regularly audit certificate trust relationships to minimize attack surface. This vulnerability aligns with CWE-129 and CWE-787 categories related to improper input validation and buffer overflow conditions, while also mapping to ATT&CK techniques involving privilege escalation and remote code execution through system services.