cbcvebase.
CVE-2023-29360
published 2023-06-14

CVE-2023-29360: Microsoft Streaming Service Elevation of Privilege Vulnerability

PriorityP183high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-03-21
Exploited in the wild
EPSS
22.13%
97.4th percentile
Microsoft Streaming Service Elevation of Privilege Vulnerability

Affected

28 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftwindows_10_1607< 10.0.14393.598910.0.14393.5989
microsoftwindows_10_1809< 10.0.17763.449910.0.17763.4499
microsoftwindows_10_21h2< 10.0.19044.308610.0.19044.3086
microsoftwindows_10_22h2< 10.0.19045.308610.0.19045.3086
microsoftwindows_10_version_1607>= 10.0.14393.0 < 10.0.14393.598910.0.14393.5989
microsoftwindows_10_version_1809>= 10.0.0 < 10.0.17763.449910.0.17763.4499
microsoftwindows_10_version_1809>= 10.0.17763.0 < 10.0.17763.449910.0.17763.4499
microsoftwindows_10_version_21h2>= 10.0.19043.0 < 10.0.19044.308610.0.19044.3086
microsoftwindows_10_version_22h2>= 10.0.19045.0 < 10.0.19045.308610.0.19045.3086
microsoftwindows_11_21h2< 10.0.22000.205710.0.22000.2057
microsoftwindows_11_22h2< 10.0.22621.184810.0.22621.1848
microsoftwindows_11_version_21h2>= 10.0.0 < 10.0.22000.205710.0.22000.2057
microsoftwindows_11_version_22h2>= 10.0.22621.0 < 10.0.22621.184810.0.22621.1848
microsoftwindows_server_2016< 10.0.14393.598910.0.14393.5989
microsoftwindows_server_2016>= 10.0.14393.0 < 10.0.14393.598910.0.14393.5989
microsoftwindows_server_2019< 10.0.17763.449910.0.17763.4499
microsoftwindows_server_2019>= 10.0.17763.0 < 10.0.17763.449910.0.17763.4499
microsoftwindows_server_2022< 10.0.20348.178410.0.20348.1784
microsoftwindows_server_2022>= 10.0.20348.0 < 10.0.20348.178710.0.20348.1787
msrcwindows_10_version_1607
msrcwindows_10_version_1809
msrcwindows_10_version_21h2
msrcwindows_10_version_22h2
msrcwindows_11_version_21h2
msrcwindows_11_version_22h2

Detection & IOCsextracted from sources · hover to see the quote

filenameMSKSSRV.SYS
filenamemskssrv.sys
filenameaclui.dll
filenameOleView.exe
processrunlegacycplelevated.exe
processcleanmgr.exe
registryHKLM\System\CurrentControlSet\Control\Terminal Server\GlassSessionId
path\\tsclient\c
  • Raspberry Robin exploits CVE-2023-29360 via a 64-bit external executable (not embedded in the main 32-bit component) that lacks the heavy obfuscation typical of the rest of the malware — look for anomalous 64-bit child processes spawned from the main 32-bit Raspberry Robin payload.
  • Detect DLL side-loading of aclui.dll alongside a signed OleView.exe delivered in a RAR archive — this is the Raspberry Robin initial access vector used in conjunction with CVE-2023-29360 exploitation.
  • Monitor for NtTraceEvent API patching at runtime, which Raspberry Robin uses to evade Event Tracing for Windows (ETW) detection during privilege escalation.
  • Alert on processes calling AbortSystemShutdownW or ShutdownBlockReasonCreate from non-system binaries — Raspberry Robin uses these APIs to prevent shutdown interruption during exploitation.
  • Detect Raspberry Robin's C2 beaconing pattern: initial outbound connections to 60 hard-coded Tor v3 .onion domains (masquerading as well-known sites) before contacting real C2 — flag any process making Tor circuit connections to the listed onion domains.
  • Flag use of PAExec.exe for lateral movement or payload download — Raspberry Robin switched from PsExec.exe to PAExec.exe to evade behavioral signatures.
  • Detect checks against GetUserDefaultLangID and GetModuleHandleW first-byte comparisons — Raspberry Robin uses these to detect security product API hooks before proceeding with exploitation.
  • ·The CVE-2023-29360 exploit used by Raspberry Robin was deployed as an external 64-bit executable separate from the main malware body, and was first observed in the wild in August 2023 — before any public PoC was available on GitHub (PoC published September 24, 2023). Detections based solely on known public PoC signatures may miss the in-the-wild variant.
  • ·The exploit targets Windows 10 up through build number 22621; systems beyond this build or already patched with the June 2023 Patch Tuesday update are not vulnerable.
  • ·CISA confirmed no evidence that CVE-2023-29360 was used in ransomware attacks specifically, though it is actively exploited by Raspberry Robin which acts as an initial access broker for multiple crime groups.

CVSS provenance

nvdv3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.4HIGH
cisa8.4HIGH
vendor_msrc8.4HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.