Attacker Value

Unknown

(2 users assessed)

Exploitability

Unknown

(2 users assessed)

User Interaction

CVE-2021-34484

Disclosure Date: August 12, 2021 •

CVE-2021-34484 CVSS v3 Base Score: 7.8

Exploited in the Wild

Reported by ccondon-r7 and 1 more...
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Windows User Profile Service Elevation of Privilege Vulnerability

Add Assessment

ccondon-r7 (195)

March 29, 2022 12:10pm UTC (1 year ago)

Technical Analysis

This bug was evidently used by LAPSUS$ in the wild as part of the attack on Okta.

gwillcox-r7 (578)

March 30, 2022 4:21pm UTC (1 year ago)

Technical Analysis

Appears there may have been some confusion here. As noted at https://twitter.com/wdormann/status/1508555477491269638 and at https://twitter.com/BillDemirkapi/status/1508527487655067660/photo/1, the attackers tried to download UserProfileSvcEoP.exe from https://github.com/klinix5/ProfSvcLPE/blob/main/DoubleJunctionEoP/Release/UserProfileSvcEoP.exe. If you look at https://github.com/klinix5/ProfSvcLPE/blob/main/write-up.docx you can see this is actually a patch bypass for CVE-2021-34484, and was later fixed by CVE-2022-21919.

Ironically enough this later got another patch bypass in the form of CVE-2022-26904 which at the time of writing is still unpatched.

All of these vulnerabilities exploit a logic flaw whereby the User Profile Service had a CreateDirectoryJunction() function that did not appropriately validate its input to ensure it wasn’t using symbolic links along any point of the path prior to creating a directory junction between two directories. This could be abused by attackers manipulating paths along the file path to gain code execution as the SYSTEM user by planting a DLL in a sensitive location which would then be loaded by a privileged process.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.8 High

Impact Score:

5.9

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

Windows 10 Version 1809 for 32-bit Systems

Windows 10 Version 1809 for x64-based Systems

Windows 10 Version 1809 for ARM64-based Systems

Windows 10 for 32-bit Systems

Windows 10 for x64-based Systems

Windows 10 Version 1607 for 32-bit Systems

Windows 10 Version 1607 for x64-based Systems

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows 8.1 for 32-bit systems

Windows 8.1 for x64-based systems

Windows RT 8.1

Windows Server 2019

Windows Server 2019 (Core installation)

Windows Server 2016

Windows Server 2016 (Core installation)

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2 (Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2 (Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Core installation)

Windows Server 2012

Windows Server 2012 (Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Core installation)

Windows 10 Version 1909 for 32-bit Systems

Windows 10 Version 1909 for x64-based Systems

Windows 10 Version 1909 for ARM64-based Systems

Windows 10 Version 21H1 for x64-based Systems

Windows 10 Version 21H1 for ARM64-based Systems

Windows 10 Version 21H1 for 32-bit Systems

Windows 10 Version 2004 for 32-bit Systems

Windows 10 Version 2004 for ARM64-based Systems

Windows 10 Version 2004 for x64-based Systems

Windows Server, version 2004 (Server Core installation)

Windows 10 Version 20H2 for x64-based Systems

Windows 10 Version 20H2 for 32-bit Systems

Windows 10 Version 20H2 for ARM64-based Systems

Windows Server, version 20H2 (Server Core Installation)

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

Microsoft

Products

Windows,
Windows Server,
Windows 10 Version 1909 for 32-bit Systems,
Windows 10 Version 1909 for x64-based Systems,
Windows 10 Version 1909 for ARM64-based Systems,
Windows 10 Version 21H1 for x64-based Systems,
Windows 10 Version 21H1 for ARM64-based Systems,
Windows 10 Version 21H1 for 32-bit Systems,
Windows 10 Version 2004 for 32-bit Systems,
Windows 10 Version 2004 for ARM64-based Systems,
Windows 10 Version 2004 for x64-based Systems,
Windows Server, version 2004 (Server Core installation),
Windows 10 Version 20H2 for x64-based Systems,
Windows 10 Version 20H2 for 32-bit Systems,
Windows 10 Version 20H2 for ARM64-based Systems,
Windows Server, version 20H2 (Server Core Installation)

Exploited in the Wild

Reported by:

ccondon-r7 indicated source as News Article or Blog (https://twitter.com/billdemirkapi/status/1508527492285575172)

Reported: March 29, 2022 12:09pm UTC (1 year ago)

gwillcox-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: April 01, 2022 4:52pm UTC (1 year ago)

References

Canonical

CVE-2021-34484 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34484)

Miscellaneous

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34484

Rapid7

Unknown

CVE-2021-34484

Unknown

Unknown

None

Low

Local

CVE-2021-34484

Description

Add Assessment

Technical Analysis

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Exploited in the Wild

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification