CVE-2023-36802

What is the Microsoft Streaming Service Proxy?

The Microsoft Streaming Service Proxy (MSKSSRV.SYS) is a Windows kernel-mode driver that acts as a proxy for kernel streaming (KS) — the Windows multimedia subsystem used for audio and video capture, processing, and playback. It handles communication between user-mode applications and kernel-mode streaming drivers. Because it is a kernel driver, vulnerabilities in MSKSSRV.SYS can be exploited by any local user to gain SYSTEM-level privileges, bypassing all user-space security boundaries.

Overview

CVE-2023-36802 is a use-after-free vulnerability in the Microsoft Streaming Service Proxy driver that allows a local attacker with standard user access to escalate privileges to SYSTEM. Microsoft disclosed and patched it on September 12, 2023 (Patch Tuesday), acknowledging active exploitation in the wild before the patch. CISA added it to the KEV catalog on the same day, reflecting the zero-day status.

Affected Versions

Technical Details

The vulnerability is a use-after-free (CWE-416) in MSKSSRV.SYS. In a use-after-free, a driver dereferences a pointer to a kernel object after that object has been freed, creating a dangling pointer. An attacker can manipulate kernel heap layout to reclaim the freed memory with attacker-controlled data before the dangling pointer is dereferenced, achieving controlled kernel code execution.

The specific trigger involves crafted I/O control requests (DeviceIoControl calls) sent to the Streaming Service Proxy device, which can be done by any low-privileged user since the driver accepts connections from user space. The exploitation complexity is low — reflected in the CVSS AC:L score — meaning the primitive is reliable once an exploit is written.

Use-after-free vulnerabilities in Windows kernel drivers are one of the most common mechanisms used by post-exploitation frameworks: after gaining initial code execution via a browser, email, or application vulnerability, attackers use kernel EoP bugs to reach SYSTEM, from which they can disable Windows Defender, dump credentials from LSASS, and establish persistence.

Discovery

Microsoft credited Valentina Palmiotti (IBM) and Quan Jin with DBAppSecurity for the discovery. The active exploitation confirms the vulnerability was found independently by threat actors before the coordinated disclosure.

Exploitation Context

Microsoft confirmed active exploitation of CVE-2023-36802 at the time of the September 2023 Patch Tuesday release. The zero-day status and the CVSS local privilege escalation profile are consistent with use as the second stage in attack chains: initial access via another vector, followed by this kernel EoP to reach SYSTEM. This pattern is standard in targeted intrusions by both cybercriminal groups (ransomware affiliates) and nation-state actors who need to disable security software or access protected credential stores.

Remediation

1. Apply the September 2023 cumulative update for your Windows version immediately — this is the definitive fix for the use-after-free in MSKSSRV.SYS.
2. Prioritize systems where unprivileged users can execute code — shared workstations, RDS/VDI environments, developer machines, and any internet-facing system with local user access are highest risk.
3. Enable Windows Defender Attack Surface Reduction (ASR) rules — while ASR does not directly block this exploit, it reduces the likelihood of the initial-access stage that precedes kernel EoP.
4. Monitor for suspicious SYSTEM-level process creation from low-privileged parent processes — a successful local privilege escalation will manifest as a SYSTEM process spawned by a standard-user process.
5. Apply Microsoft's cumulative updates promptly — kernel EoP zero-days are frequently weaponized within days of discovery; maintaining patch currency is the most effective defense.