Windows - Security - Mitigate CVE-2023-32019

What the CVE-2023-32019 mitigation Worklet does

This Automox Worklet™ activates the fix for CVE-2023-32019, a Windows Kernel Information Disclosure vulnerability. Microsoft included the fix in June 2023 cumulative updates but disabled it by default due to potential functionality-breaking changes. This Worklet enables the protection through registry configuration.

The Worklet supports multiple Windows versions with different registry paths and values. It identifies your OS build number and applies the correct mitigation: LazyRetryOnCommitFailure for older builds (Server 2016, Server 2019) or FeatureManagement Overrides for newer builds (Windows 10 20H2+, Windows 11, Server 2022).

The Worklet examines registry keys including HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides, HKCU:\Automox\WorkletConfig, HKLM:\SYSTEM\CurrentControlSet\Control\Session.

The Worklet also verifies whether the required prerequisite patch (KB5027215, KB5027219, KB5027222, KB5027225, or KB5027231) is installed. It reports patch status in the Activity Log but does not install updates automatically.

Why enable the CVE-2023-32019 fix manually

Microsoft delivered this security fix in a disabled state because enabling it may cause compatibility issues with certain applications. Organizations must explicitly opt in to the protection after testing in their environment.

CVE-2023-32019 allows local attackers to read kernel memory and potentially extract sensitive information. While exploitation requires local access, the vulnerability presents risk in multi-user environments or where attackers have gained initial foothold.

Warning: Review Microsoft's KB5028407 documentation thoroughly before deployment. Test with a pilot group to identify any functionality-breaking changes in your environment before broad rollout.

How CVE-2023-32019 mitigation works

1. Evaluation phase: The Worklet detects the Windows build number and matches it against supported versions. It checks WMI and hotfix data to determine if the required prerequisite patch is installed. It then examines the OS-specific registry path for the mitigation value. If the registry configuration does not match the desired state, it stores configuration in HKCU for remediation and triggers the remediation phase.

2. Remediation phase: The Worklet retrieves the stored configuration, reports patch status to the Activity Log, creates the registry key path if missing, and sets the appropriate DWORD value. For Windows 10 20H2-22H2 this is FeatureManagement\Overrides\4103588492=1, for Windows 11 22H2 it is 4237806220=1, and for older builds it sets LazyRetryOnCommitFailure=0.

CVE-2023-32019 mitigation requirements

• Windows 10 version 1607 or later, Windows 11, Windows Server 2016, 2019, or 2022

• June 2023 cumulative update installed (KB5027215, KB5027219, KB5027222, KB5027225, or KB5027231)

• Administrative privileges to modify registry

• Must run as scheduled policy (stores configuration between evaluation and remediation)

• Parameter: revert (set to true to undo mitigation)

Expected kernel protection state

After successful remediation, the OS-specific registry value enables kernel memory protection against CVE-2023-32019. The Activity Log indicates whether the prerequisite patch is installed and confirms the registry configuration was applied.

Endpoints not on the impacted build list (older Windows versions without a mitigation path) exit cleanly without changes. To undo the mitigation, uncomment the revert parameter and run the Worklet again. Monitor your environment for any application compatibility issues after enabling this fix.

How to validate mitigate cve-2023-32019 changes

1. Run this Worklet on a pilot Windows endpoint and review evaluation output for mitigate cve-2023-32019.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as FUNCTIONALITY-BREAKING, Write-Verbose, Set-AXConfig.

4. Validate remediation effects from script operations such as FUNCTIONALITY-BREAKING, Write-Verbose, ConvertTo-Hashtable, then rerun evaluation for compliance.