CVE-2021-31979

Description

Windows Kernel Elevation of Privilege Vulnerability

Add Assessment

gwillcox-r7 (579)

July 14, 2021 5:35pm UTC (3 years ago)•

Ratings

Attacker Value

High

Exploitability

Medium

Common in enterprise Gives privileged access Vulnerable in default configuration Authenticated

Technical Analysis

Update: Looks like this was used by the exploit brokerage company Candiru along with CVE-2021-33771 to deliver spyware to targeted users, which according to Microsoft’s blog post, affected at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders, dissidents, journalists, activists, and politicians.

Hmm, this is a particularly juicy bug as it seems to affect all Windows systems from Windows 7 up to the latest Windows 10. This is in contrast to CVE-2021-33771, which only affects Windows 8.1 and later. Both bugs affect the Windows Kernel and are being actively exploited in the wild for LPE.

There is little information on what actually is the issue here, although https://twitter.com/mavillon1/status/1415149124064878593/ suggests that MiFlashDataSecton, EtwpUpdatePeriodicCaptureState and AlpcpProcessSynchronousRequest may be possible culprits and reviewing AlpcpProcessSynchronousRequest shows that a potential integer overflow was fixed.

Given that Microsoft also lists the attack complexity for both vulnerabilities as Low it seems likely that other researchers will find a way to replicate these vulnerabilities and create working PoCs for them, particularly given that they have been exploited in the wild. Based on this evidence, it is highly recommended to patch these issues as soon as possible.

Further updates will be made to this post if and when these CVEs are tied to specific vulnerable functions.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.8 High

Impact Score:

5.9

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

General Information

Offensive Application

Unknown

Utility Class

Unknown

Ports

Unknown

Vulnerable Versions

Windows 10 Version 1809 10.0.17763.2061

Windows Server 2019 10.0.17763.2061

Windows Server 2019 (Server Core installation) 10.0.17763.2061

Windows 10 Version 1909 10.0.18363.1679

Windows 10 Version 21H1 10.0.19043.1110

Windows 10 Version 2004 10.0.19041.1110

Windows Server version 2004 10.0.19041.1110

Windows 10 Version 20H2 10.0.19042.1110

Windows Server version 20H2 10.0.19042.1110

Windows 10 Version 1507 10.0.10240.19003

Windows 10 Version 1607 10.0.14393.4530

Windows Server 2016 10.0.14393.4530

Windows Server 2016 (Server Core installation) 10.0.14393.4530

Windows 7 6.1.7601.25661

Windows 7 Service Pack 1 6.1.7601.25661

Windows 8.1 6.3.9600.20069

Windows Server 2008 Service Pack 2 6.0.6003.21167

Windows Server 2008 Service Pack 2 (Server Core installation) 6.0.6003.21167

Windows Server 2008 Service Pack 2 6.0.6003.21167

Windows Server 2008 R2 Service Pack 1 6.1.7601.25661

Windows Server 2008 R2 Service Pack 1 (Server Core installation) 6.1.7601.25661

Windows Server 2012 6.2.9200.23409

Windows Server 2012 (Server Core installation) 6.2.9200.23409

Windows Server 2012 R2 6.3.9600.20069

Windows Server 2012 R2 (Server Core installation) 6.3.9600.20069

Prerequisites

Unknown

Discovered By

Unknown

PoC Author

Unknown

Metasploit Module

Unknown

Reporter

Unknown

Vendors

microsoft

Products

windows 10 1507,
windows 10 1607,
windows 10 1809,
windows 10 1809,
windows 10 1909,
windows 10 2004,
windows 10 20h2,
windows 10 21h1,
windows 7 -,
windows 8.1 -,
windows rt 8.1 -,
windows server 2004,
windows server 2008 -,
windows server 2008 r2,
windows server 2012 -,
windows server 2012 r2,
windows server 2016,
windows server 2019,
windows server 20h2

Exploited in the Wild

Reported by:

mkienow-r7 indicated source as Vendor Advisory (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979)

Reported: July 13, 2021 7:00pm UTC (3 years ago)

gwillcox-r7 indicated sources as

Reported: July 20, 2021 7:20pm UTC (3 years ago) • Edited 3 years ago

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:15am UTC (2 weeks ago)

References

Canonical

CVE-2021-31979 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31979)

Miscellaneous

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31979

Rapid7

High

High

Moderate

None

Low

Local

CVE-2021-31979

Description