CVE-2023-28229

What is the Windows CNG Key Isolation Service?

The Cryptographic Next Generation (CNG) Key Isolation Service (KeyIso, running as lsass.exe) is a Windows service that provides secure storage and isolation for private key operations. It is responsible for protecting private keys used by applications, certificates, and system components — the service runs operations involving private keys in a protected process to limit exposure of sensitive cryptographic material to user-space code. Because the Key Isolation Service handles private keys for the entire system, any vulnerability that allows unauthorized access to its operations or data can expose sensitive cryptographic material or enable privilege escalation.

Overview

CVE-2023-28229 is a sensitive data storage vulnerability (CWE-591) in the Windows CNG Key Isolation Service that allows a local attacker with standard user privileges to escalate to limited SYSTEM privileges. It was patched in the April 2023 Patch Tuesday update. Unlike same-day KEV additions, CISA added this to the KEV catalog in October 2023 — nearly six months after the patch — reflecting delayed confirmation of active exploitation. Microsoft's description of "specific limited SYSTEM privileges" distinguishes this from full arbitrary SYSTEM code execution.

Affected Versions

Technical Details

The CWE-591 classification (Sensitive Data Storage in Improperly Locked Memory) indicates the vulnerability involves cryptographic material or security-sensitive data being stored or accessed in a way that allows an unauthorized local process to read or influence it. In the context of the CNG Key Isolation Service, this could manifest as improperly protected memory regions containing key material or process tokens that a low-privileged process can access.

The AC:H (High Complexity) CVSS metric is notable: it indicates the vulnerability is harder to exploit reliably than a typical LPE bug. High complexity exploits often require specific race conditions, heap layout conditions, or multiple steps that depend on timing or system state. This distinguishes CVE-2023-28229 from the straightforward CLFS heap overflow bugs (CVE-2023-28252, CVE-2023-23376) patched in the same period.

Microsoft's phrasing of "specific limited SYSTEM privileges" — rather than "SYSTEM code execution" — suggests the attacker gains particular elevated capabilities (such as access to specific protected resources or the ability to perform certain privileged operations) rather than arbitrary kernel-level code execution.

Discovery

CVE-2023-28229 was reported to Microsoft via coordinated disclosure. The six-month gap between the April 2023 patch and the October 2023 KEV addition indicates that exploitation was identified in incident response investigations or threat intelligence reporting after the patch was available — consistent with sophisticated actors who exploit patched vulnerabilities against organizations slow to apply updates.

Exploitation Context

The six-month delay between patching (April 2023) and KEV addition (October 2023) reflects the pattern where sophisticated threat actors continue exploiting patched vulnerabilities against organizations that haven't applied updates. The high complexity (AC:H) means this is not a commodity exploit widely distributed to low-skill actors — exploitation requires a carefully crafted payload and likely reflects a threat actor with significant exploit development capability who maintained this privilege escalation technique post-patch.

Remediation

1. Apply the April 2023 Windows cumulative update — the fix for CVE-2023-28229 is included. The October 2023 KEV addition means organizations without April 2023+ patches are actively targeted.
2. Audit systems for stragglers — use patch management tooling to identify Windows systems that haven't received April 2023 or later cumulative updates; prioritize those systems.
3. Maintain monthly Windows patching — sophisticated actors specifically target organizations that lag on cumulative updates; consistent patching eliminates the exposure window for patched bugs.
4. Monitor for unusual CNG Key Isolation Service behavior — unexpected access patterns or process interactions with the Key Isolation Service may indicate exploitation attempts.