CVE-2016-0151
Published: 12 April 2016
Summary
CVE-2016-0151 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Microsoft Windows Server 2012. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 3.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
The vulnerability is a security feature bypass issue in the Client-Server Run-time Subsystem (CSRSS) component of Microsoft Windows, stemming from improper management of process tokens as classified under CWE-269. It affects Windows 8.1, Windows Server 2012 (including R2), Windows RT 8.1, and Windows 10 (Gold and 1511 releases), and carries a CVSS 3.1 base score of 7.8 reflecting high impact on confidentiality, integrity, and availability.
Local attackers can exploit the flaw by running a crafted application on an affected system, allowing them to bypass security restrictions and elevate privileges without requiring prior authentication or user interaction beyond executing the code.
Microsoft security bulletin MS16-048 addresses the issue through available patches, as referenced in the associated advisories from April 2016. Public exploit code for the vulnerability has also been published on Exploit-DB.
The issue enables local privilege escalation on unpatched systems meeting the affected platform criteria.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2016-0189
Vulnerability details
The Client-Server Run-time Subsystem (CSRSS) in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mismanages process tokens, which allows local users to gain privileges via a crafted application, aka "Windows…
more
CSRSS Security Feature Bypass Vulnerability."
- CWE(s)
- KEV Date Added
- 28 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access decisions on process tokens so the CSRSS token-mismanagement bypass cannot grant unauthorized privileges.
Limits privileges assigned via process tokens, preventing the crafted-application escalation path described in the CVE.
Requires prompt installation of the MS16-048 patch that corrects the CSRSS token-handling flaw before exploitation occurs.