In a security advisory published on May 9th, Microsoft disclosed the existence of a Local Privilege Escalation vulnerability in Sysmon (CVE-2023-29343). The vulnerability was discovered by an independent security researcher and was responsibly disclosed to Microsoft. Microsoft has released Sysmon version 14.16 to address this vulnerability.
Because the vulnerability would require local access to a system running Sysmon in order to be exploited successfully, it is expected that this type of vulnerability could be used by threat actors to escalate privileges on an already compromised system rather than acting as an initial access vector.
While Microsoft currently assesses that the likelihood of exploitation is low due to the lack of a publicly available proof-of-concept exploit, Arctic Wolf recommends upgrading to the latest available version of Sysmon on your organization’s monitored endpoints.
Recommendations for CVE-2023-29343
Recommendation: Upgrade Sysmon to version 14.16
Arctic Wolf strongly recommends planning to upgrade Sysmon to version 14.16 as part of your organization’s next patching cycle. This version of Sysmon has been patched to address the local privilege escalation vulnerability described in this bulletin.
The latest version of the Arctic Wolf Sysmon Assistant application supports upgrading Sysmon in place without the need for manual uninstallation and reinstallation. To perform the Sysmon update, please review the instructions for updating the Sysmon Assistant and Sysmon as it is related to your software deployment process via the update instructions on this page.