Moderate
CVE-2021-26431
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2021-26431
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Windows Recovery Environment Agent Elevation of Privilege Vulnerability
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityVery High
Technical Analysis
Contrary to what the title says this is not a elevation of privilege vulnerability. As noted at https://halove23.blogspot.com/2021/09/zdi-21-1053-bypassing-windows-lock.html and at https://www.zerodayinitiative.com/advisories/ZDI-21-1053/ this is actually an authentication bypass vulnerability that allows one to bypass the Windows lockscreen by taking advantage of a URL link within the page.
This link appears when one tries to log into an Microsoft connected account and hits the “I Forgot My PIN” link, attempts to sign in to a Microsoft account with an invalid password, hits the back link that appears at the top left of the page, then at the sign on page, hits the question mark icon that appears next to “Sign in with a security key”,
This will display a dialog with the title “Sign in with security key” that has a URL link called “Learn how to set this up”. Clicking on this link after enabling Narrator shows that this link actually opens an “How do you want to open this?” prompt. However this prompt is hidden which is why Narrator is used to tell us which elements we are hovered over.
As mentioned in https://halove23.blogspot.com/2021/09/zdi-21-1053-bypassing-windows-lock.html, this can then be used to open Edge, and then via Edge open the Settings window, at which point we can then open Explorer, and finally open a command window where we can execute arbitrary commands.
The risk of this vulnerability overall is still somewhat low. Due to the number of steps which must be taken using soely Narrator, unless someone automates the key presses (something that is entirely possible) you will still have to do a lot of listening and keypressing to get the vulnerability to work, and any one listening in to you attacking the PC will likely find it rather odd what you are doing.
Additionally you only gain privileges as a local user. This vulnerability does not grant you permissions as a administrative user or any privileged user on the system, and whilst you can use other EOP vulnerabilities that take advantage of the NT AUTHORITY\Authenticated Users the user will be granted, you are still reliant on other EoP vulnerabilities not being patched on the target system for you to get SYSTEM level access.
Overall this is a medium-low severity bug with a high degree of exploitability.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- windows 10 2004,
- windows 10 20h2,
- windows 10 21h1,
- windows server 2016 2004,
- windows server 2016 20h2
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: