CVE-2023-21752: 
vulnerability analysis and mitigation

Windows Backup Service Elevation of Privilege Vulnerability (CVE-2023-21752) was disclosed and patched by Microsoft on January 10, 2023. The vulnerability affects Windows 7, 10, and 11 operating systems, allowing non-privileged users to execute arbitrary code and delete files from specified storage paths that should only be accessible to privileged users (CloudSEK Report).

The vulnerability exploits a race condition in the Windows Backup Service between temporary file creation and deletion processes. The issue occurs in the IsWritable() function called by QueryStorageDevice(), which verifies storage path writability. The vulnerability has a CVSS 3.1 Base Score of 7.1 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H (NVD).

The exploitation of this vulnerability can lead to two significant impacts: the deletion of multiple files outside of the basic user's scope due to thread race conditions, and privilege escalation to 'SYSTEM' user level, potentially allowing complete system takeover (CloudSEK Report).

Microsoft released a security patch on January 10, 2023, to address this vulnerability. The patch implements the CheckDevicePathIsWriteable() function to prevent race conditions that occur due to threads getting locked during simultaneous backup processes. The primary mitigation strategy is to ensure operating systems are updated with the latest security patches (CloudSEK Report).

The vulnerability has gained attention in cybersecurity communities, with mentions and discussions appearing on Russian-speaking cybercrime forums and Telegram channels. Security researchers and threat actors with medium reputation have provided detailed analysis of the vulnerability (CloudSEK Report).