Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2021-26431

Disclosure Date: August 12, 2021
CVE-2021-26431
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Windows Recovery Environment Agent Elevation of Privilege Vulnerability

Add Assessment

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Common in enterpriseUnauthenticatedVulnerable in default configurationRequires physical accessRequires user interaction
Technical Analysis

Contrary to what the title says this is not a elevation of privilege vulnerability. As noted at https://halove23.blogspot.com/2021/09/zdi-21-1053-bypassing-windows-lock.html and at https://www.zerodayinitiative.com/advisories/ZDI-21-1053/ this is actually an authentication bypass vulnerability that allows one to bypass the Windows lockscreen by taking advantage of a URL link within the page.

This link appears when one tries to log into an Microsoft connected account and hits the “I Forgot My PIN” link, attempts to sign in to a Microsoft account with an invalid password, hits the back link that appears at the top left of the page, then at the sign on page, hits the question mark icon that appears next to “Sign in with a security key”,

This will display a dialog with the title “Sign in with security key” that has a URL link called “Learn how to set this up”. Clicking on this link after enabling Narrator shows that this link actually opens an “How do you want to open this?” prompt. However this prompt is hidden which is why Narrator is used to tell us which elements we are hovered over.

As mentioned in https://halove23.blogspot.com/2021/09/zdi-21-1053-bypassing-windows-lock.html, this can then be used to open Edge, and then via Edge open the Settings window, at which point we can then open Explorer, and finally open a command window where we can execute arbitrary commands.

The risk of this vulnerability overall is still somewhat low. Due to the number of steps which must be taken using soely Narrator, unless someone automates the key presses (something that is entirely possible) you will still have to do a lot of listening and keypressing to get the vulnerability to work, and any one listening in to you attacking the PC will likely find it rather odd what you are doing.

Additionally you only gain privileges as a local user. This vulnerability does not grant you permissions as a administrative user or any privileged user on the system, and whilst you can use other EOP vulnerabilities that take advantage of the NT AUTHORITY\Authenticated Users the user will be granted, you are still reliant on other EoP vulnerabilities not being patched on the target system for you to get SYSTEM level access.

Overall this is a medium-low severity bug with a high degree of exploitability.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Windows 10 Version 21H1 10.0.19043.1165
Windows 10 Version 2004 10.0.19041.1165
Windows Server version 2004 10.0.19041.1165
Windows 10 Version 20H2 10.0.19042.1165
Windows Server version 20H2 10.0.19042.1165
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis