CVE-2023-35359: 
vulnerability analysis and mitigation

Windows Kernel Elevation of Privilege Vulnerability (CVE-2023-35359) was disclosed in August 2023, affecting multiple versions of Microsoft Windows operating systems. This vulnerability allows an attacker with user-level access to gain SYSTEM privileges on a vulnerable system. The vulnerability stems from the ability of a normal user account to replace the original C:\ drive with a fake one by placing a symlink for the system drives in the device map for each login session (Securelist).

The vulnerability has a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The technical root cause involves the manipulation of system drive mapping during impersonation, where privileged processes can be tricked into following a fake root implemented with medium integrity process instead of the original system drive root. Microsoft addressed this by implementing checks in ObpLookupObjectName to verify if the loaded resource is a file object and ensuring the use of SystemDevice instead of impersonated device maps (Securelist).

When successfully exploited, this vulnerability allows an attacker to elevate privileges to SYSTEM level, potentially gaining complete control over the affected system. This could enable an attacker to install programs, view, change, or delete data, and create new accounts with full administrator rights (NVD).

Microsoft has released security updates to address this vulnerability. The patch was implemented in ObpLookupObjectName to check if the loaded resource is a file object and ensure the use of SystemDevice instead of impersonated device maps. Users are strongly advised to apply the latest security updates to their Windows systems (Securelist).