Workaround For The New Local Privilege Elevation Found In The CVE-2021-41379 Patch

Recently, security researchers discovered a new Local Privilege Elevation (LPE) vulnerability found in the patch released to fix the CVE-2021-41379 vulnerability. Microsoft released the patch in its November months patch to fix the CVE-2021-41379 vulnerability is not sufficient. Research says that an attacker can bypass the patch, which allows him to gain admin privilege from a normal user. Let’s see the best available Workaround for the New Local Privilege Elevation Found in the CVE-2021-41379 patch.

Initially, the CVE-2021-41379 vulnerability is categorized as medium severity vulnerability with a CVSS of 5.5. After the release of PoC, we could see an appreciation in the CVSS score. 

Versions Of Windows Affected By The New Local Privilege Elevation Vulnerability:

This vulnerability affects most likely every version, including Windows 10, Windows 11, and Windows Server 2022. of fully patched Windows operating systems. However, this may not affect servers that don’t have elevation service, such as Windows server 2016 and 2019.

PoC Of The New Local Privilege Elevation Vulnerability:

https://twitter.com/GossiTheDog/status/1462721449425264645?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1462721449425264645%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.theregister.com%2F2021%2F11%2F23%2Fwindows_lpe%2Fhttps://twitter.com/KLINIX5/status/1462597892066136069

According to the security researcher Abdelhamid Naceri, who initially discovered the elevation of privilege vulnerability which is being tracked as CVE-2021-41379, is not fully patched. On 9th Nov, what Microsoft released the patch as part of its monthly security updates is not sufficient. An attacker can still abuse the patch to gain admin privilege on the Windows machine.

PoC Published by Abdelhamid Naceri

A Proof of Concept is published on the public Github repository to make sure the bug was not fixed correctly. The PoC is extremely reliable and doesn’t require anything to test. “The proof of concept overwrite Microsoft Edge elevation service DACL and copy itself to the service location and execute it to gain elevated privileges. I deliberately left the code which takes over the file open, so any file specified in the first argument will be taken over with the condition that SYSTEM account must have access to it and the file mustn’t be in use. So you can elevate your privileges yourself.“

Workaround For The New Local Privilege Elevation Found In The CVE-2021-41379 Patch:

At the time of publishing this post, no official patches were released to fix the New Local Privilege Elevation Vulnerability Found in the CVE-2021-41379 patch. The best possible workaround at the movement would be to implement firewall rules to protect from the exploitation of this vulnerability. Talos intelligence published on their blog that Cisco Secure Firewall customers can use the latest update to their ruleset by updating their SRU. Snort.org recommended their customers to stay up to date by downloading the latest rule pack as Snort has published two new rules tracked as SIDs 58635 and 58636 to protect their users from the exploitation of this new LPA vulnerability.

We hope this post would help you in knowing the best available Workaround for the New Local Privilege Elevation Found in the CVE-2021-41379 patch. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.

You may also like these articles: