Microsoft has released a patch for an Xbox vulnerability after initially telling the reporting researcher that it was not a security issue.
The vulnerability is tracked as CVE-2024-2891 and it impacts Xbox Gaming Services. According to Microsoft, it has ‘important’ severity and it can easily be exploited by a local attacker with low privileges to escalate permissions to System.
“An attacker must have local access to the targeted machine and must be able to create folders and performance traces on the machine, with restricted privileges that normal users have by default,” Microsoft explained in its advisory.
The tech giant has informed customers that app package versions 19.87.13001.0 and later patch the vulnerability. The fix should automatically be delivered to users who have automatic updates enabled.
Microsoft’s advisory credits Filip Dragovic for reporting CVE-2024-2891 and informs customers that the vulnerability has been publicly disclosed. There is no evidence of malicious exploitation, but an ‘exploitation more likely’ rating has been assigned to the flaw.
Dragovic disclosed the details of the vulnerability on March 12. The researcher had been displeased with the fact that Microsoft had initially said that it could not reproduce the vulnerability and later assessed that “no security boundary is being broken”.
As a result, Dragovic made public a proof-of-concept (PoC) exploit, along with technical details and a video showing the exploit in action.
“Exploit for arbitrary folder move in GamingService component of Xbox. GamingService is not default service. If service is installed on system it allows low privilege users to escalate to system,” the researcher wrote in his disclosure.
Will Dormann, a reputable cybersecurity researcher, quickly confirmed Dragovic’s findings.
Just hours after Dragovic made his findings public and Dormann confirmed the bug, Microsoft informed Dragovic that it assigned the issue an ‘important severity’ rating and that it had started working on a fix.
Microsoft published an advisory announcing the Xbox Gaming Services fix on March 20.
It’s unclear if the tech giant will be paying out a bug bounty for the vulnerability, particularly since the flaw was disclosed publicly before a patch was made available and without coordinating with Microsoft, as the company had requested when it initially found no security boundaries being broken.
Microsoft does have a dedicated Xbox bug bounty program, with rewards ranging between $500 and $20,000. An important-severity privilege escalation vulnerability can earn researchers between $1,000 and $5,000, depending on the quality of the report.
Related: CISA Warns Organizations of Exploited Vulnerability Affecting .NET, Visual Studio
Related: Microsoft Criticized Over Handling of Critical Power Platform Vulnerability
Related: Patch Tuesday: Microsoft Flags Major Bugs in HyperV, Exchange Server