The US cybersecurity agency CISA on Thursday added a high-severity elevation of privilege flaw in Microsoft Streaming Service to its Known Exploited Vulnerabilities catalog, warning of its active exploitation in the wild.
The Streaming Service, an integral part of Windows, is a system service that enables the streaming of audio and video across a network for multimedia and gaming applications, and video conferencing software.
The issue, tracked as CVE-2023-29360 (CVSS score of 8.4) and patched in June 2023 in Windows 10 and 11 and Windows Server 2016, 2019, and 2022, could allow attackers to gain System privileges on a vulnerable machine.
“Microsoft Streaming Service contains an untrusted pointer dereference vulnerability that allows for privilege escalation, enabling a local attacker to gain System privileges,” CISA’s entry in the KEV catalog reads.
CISA has not provided information on the attacks exploiting CVE-2023-29360 and noted that it has no evidence that ransomware groups are targeting it. Microsoft’s June 2023 advisory still flags the bug as “not exploited”.
Proof-of-concept (PoC) code targeting the MSKSSRV.SYS driver (a system file associated with the Microsoft Kernel Streaming Server) to exploit CVE-2023-29360 has been available for roughly six months.
Despite the PoC’s availability and CISA’s action, no other reports on this vulnerability’s exploitation have emerged until now.
When a new security hole is added to the KEV list, US federal agencies have three weeks to identify and patch vulnerable assets within their environments, as dictated by the Binding Operational Directive (BOD) 22-01. In CVE-2023-29360’s case, that deadline is March 21.
The cybersecurity agency urges all organizations to apply patches available for the security defects in the KEV catalog, warning that they pose a significant risk of compromise.
“We released a fix for CVE-2023-29360 in June last year. Customers who have installed the latest updates, or have automatic updates enabled, are already protected,” a Microsoft spokesperson said, responding to a SecurityWeek inquiry.
*Updated with statement from Microsoft.
Related: CISA Urges Patching of Cisco ASA Flaw Exploited in Ransomware Attacks
Related: CISA Warns of Roundcube Webmail Vulnerability Exploitation
Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative