CISA adds CVE-2023-29360 to the Exploited Vulnerabilities Database

The Cybersecurity and Security Agency (CISA) added CVE-2023-29360 to the Known Exploited Vulnerabilities database on 29 February 2024. It has allowed 3 weeks to patch this threat i.e. by 21 March 2024.

Salient points

• CVE-2023-29360 is an Elevation of Privilege vulnerability affecting Microsoft Streaming Service.
• This is a CVSS 8.4 vulnerability with HIGH severity.
• It was first detected by the Trend Micro Zero Day initiative in June 2023.
• This vulnerability was first reported by Microsoft in June 2023. It was successfully patched as part of the June 2023 Patch Tuesday program.
• This is not a new vulnerability. It is more likely to be exploited if the target systems are unpatched since June 2023.

What versions of Windows are affected?

CVE-2023-29360 affects the following versions of Windows operating systems:

CVE-2024-21338 Vulnerability

Windows Version	Build Number	Fixed in Security Update
Windows Server 2022, 23H2 Edition (Server Core installation)	10.0.25398.709	KB5034769
Windows 11 Version 23H2 for x64-based Systems	10.0.22631.3155	KB5034765
Windows 11 Version 23H2 for ARM64-based Systems	10.0.22631.3155	KB5034765
Windows 10 Version 22H2 for 32-bit Systems	10.0.19045.4046	KB5034763
Windows 10 Version 22H2 for ARM64-based Systems	10.0.19045.4046	KB5034763
Windows 10 Version 22H2 for x64-based Systems	10.0.19045.4046	KB5034763
Windows 11 Version 22H2 for x64-based Systems	10.0.22621.3155	KB5034765
Windows 11 Version 22H2 for ARM64-based Systems	10.0.22621.3155	KB5034765
Windows 10 Version 21H2 for x64-based Systems	10.0.19044.4046	KB5034763
Windows 10 Version 21H2 for ARM64-based Systems	10.0.19044.4046	KB5034763
Windows 10 Version 21H2 for 32-bit Systems	10.0.19044.4046	KB5034763
Windows 11 version 21H2 for ARM64-based Systems	10.0.22000.2777	KB5034766
Windows 11 version 21H2 for x64-based Systems	10.0.22000.2777	KB5034766
Windows Server 2022 (Server Core installation)	10.0.20348.2322	KB5034770
Windows Server 2022	10.0.20348.2322	KB5034770
Windows Server 2019 (Server Core installation)	10.0.17763.5458	KB5034768
Windows Server 2019	10.0.17763.5458	KB5034768
Windows 10 Version 1809 for ARM64-based Systems	10.0.17763.5458	KB5034768
Windows 10 Version 1809 for x64-based Systems	10.0.17763.5458	KB5034768
Windows 10 Version 1809 for 32-bit Systems	10.0.17763.5458	KB5034768

About CVE-2023-29360

We share brief details of CVE-2023-29360 below.

• CVSS Score of 8.4
• Impact is the Elevation of Privileges
• Severity is HIGH

Microsoft Streaming Service contains an untrusted pointer dereference vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

This vulnerability was patched in June 2023 Patch Tuesday security updates. If you have deployed June 2023 cumulative updates or security updates, you would have already patched against CVE-2023-29360.

If you have installed any cumulative update after June 2023, the threat would have been resolved. This is because cumulative monthly updates are cumulative in nature and contain changes of preceding cumulative updates.

So, we must ensure that we have a cumulative update of June 2023 or a later date on the affected Windows operating system.

If you are unable to install the June 2023 cumulative update or any subsequent cumulative update, please consider discontinuing the use of Microsoft Streaming Service.

About Microsoft Streaming Service

Microsoft Stream is an enterprise video platform integrated within the Microsoft 365 ecosystem, designed to facilitate communication, collaboration, and learning within organizations. 

Microsoft Stream Features:

• Video Creation and Sharing: Users can record their screens, themselves, or Teams meetings, add text, drawings, and effects to personalize videos, and easily share them with colleagues for feedback.
• Integration with Microsoft 365 Apps: Microsoft Stream is deeply integrated with various Microsoft 365 apps like Teams, SharePoint, Viva Engage, PowerPoint, and OneDrive, allowing seamless video creation and consumption within these platforms.
• Two Versions: Microsoft offers two versions of Stream – Stream (Classic) and Stream (built on SharePoint). The latter version is the new iteration that offers enhanced video playback experiences and is gradually replacing the classic version.
• Storage Integration: Videos in the new version of Stream are stored in SharePoint, Teams, and OneDrive alongside other files like documents and presentations.
• Enhanced User Experience: With features like automatic transcription in multiple languages, viewer analytics, video chapters, and integration into Microsoft Search, Microsoft Stream aims to provide a user-friendly and efficient video-sharing experience.

More Security Stories

You may like to read more cyber-security stories below:

• Lazarus exploiting Windows Applocker Zero-day Vulnerability
• Microsoft Edge version 122.0.2365.52 – 23 Feb 2024
• CISA adds ConnectWise ScreenConnect vulnerability to the KEV database
• Avast accused of Selling Customer Browsing Data to Advertisers
• CISA adds Microsoft Exchange vulnerability to the KEV database
• CISA adds Cisco ASA vulnerability to KEV Catalog
• Microsoft reports 73 security vulnerabilities in Patch Tuesday – Feb 2024
• Adobe reports CRITICAL security vulnerabilities in multiple products
• Data breach at France’s data protection agency CNIL
• Bank of America Data Breach at Infosys McCamish Systems
• CISA adds Roundcube Webmail XSS Vulnerability to KEV catalog
• Zero-day vulnerability in FortiOS – CVE-2024-21762
• Critical Security Vulnerabilities in Cisco Expressway Series
• 2 Critical Vulnerabilities reported by Fortinet
• Verizon Data Breach – Feb 2024
• AnyDesk Cyberattack incident – February 2024
• Cloudflare Data Breach – November 2023
• Ivanti VPN Vulnerabilities – Jan 2024
• Mercedes Source Code Leak – Jan 2024
• Schneider Electric Ransomware attack – Jan 2024
• Android Security Update – Feb 2024