Microsoft Streaming Service Untrusted Pointer Cast Up By U.S. Cybersecurity and Infrastructure Security Agency To Its KVE Catalog

The United States Cybersecurity and Infrastructure Security Agency (CISA) announced the addition of the CVE-2023-29360 (CVSS Score 8.4) Microsoft Streaming Service Untrusted pointer dereference vulnerability to its Known Exploited Vulnerabilities (KEV) list.

An attacker can use this vulnerability to acquire SYSTEM abilities. Thomas Imbert (@masthoon) of Synacktiv (@Synacktiv) found the vulnerability as part of Trend Micro's Zero Day Initiative.

The availability of proof-of-concept (PoC) programs enabled different threat actors to incorporate the malicious code into their attack chain.

In February, a study of several Raspberry Robin samples prior to October 2023 found that the programmers also exploited CVE-2023-29360. The exploitation method for vulnerability CVE-2023-29360 was publicly revealed in June, and Raspberry Robin used it in August.

According to Binding Operational Directive (BOD) 22-01: Minimizing the Considerable Risk of Known Exploited Vulnerabilities, FCEB agencies must patch detected vulnerabilities by the due date to safeguard their networks from attacks utilizing holes in the catalog.

Experts urge that private firms analyze the Catalog and remedy the weaknesses in their systems.

CISA requires government entities to address this risk by March 21, 2024.