The vulnerability, assigned CVE-2021-34484 (CVSS 7.8),3 was partially patched by Microsoft in August’s Patch Tuesday as an “arbitrary directory deletion” bug. However, threat actors can bypass the patch to gain SYSTEM privileges under specific circumstances, creating an elevated command prompt while the User Account Control prompt is displayed.4
Other researchers who have tested the PoC reported that, while it worked, it would not always create the elevated command prompt.5 At this stage, the exploit requires threat actors to have user credentials, meaning it is slightly less likely to be as widely abused as other local elevation of privilege bugs.
Microsoft is still working on an official security update for this zero day vulnerability, however, 0patch micropatching service released a ‘micropatch’ last week.6 This free patch (free until the official patch is released) can block attacks using the CVE-2021-34484 bypass but it is only available for some Windows versions.
In the interim, while waiting for the official patch, organisations may consider applying the unofficial patch provided by the 0patch micropatching service.
For additional information, including specifics about the response within your IT environment, please contact cyberintel@cybercx.com.au or your usual CyberCX contact.
If you are not a customer but would like help responding to the subject of this advisory, please contact cyberintel@cybercx.com.au.
CyberCX Reference No# |
Date of Advisory |
CCX-TA-2021-42 |
15 November 2021 |
1 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34484
2 https://halove23.blogspot.com/2021/10/windows-user-profile-service-0day.html
3 https://nvd.nist.gov/vuln/detail/CVE-2021-34484
4 https://www.bleepingcomputer.com/news/microsoft/zero-day-bug-in-all-windows-versions-gets-free- unofficial-patch/
5 https://www.bleepingcomputer.com/news/security/all-windows-versions-impacted-by-new-lpe-zero- day-vulnerability/
6 https://blog.0patch.com/2021/11/micropatching-incompletely-patched.html