Ongoing Exploitation of Windows Installer CVE-2021-41379

CVE	Vendor Advisory	AttackerKB	IVM Content	Patching Urgency	Last Update
CVE-2021-41379	Microsoft Advisory	AttackerKB	Scheduled (when patched)	ASAP (when released)	December 3, 2021 3:00 PM ET

See the Updates section at the end of this post for new information.

Description

On November 9, 2021, as part of Patch Tuesday, Microsoft released an update to address CVE-2021-41379, a “Windows Installer Elevation of Privilege Vulnerability” that had a modest CVSS score (5.5), without much fanfare. The original CVE allows an attacker to delete files on a system using elevated privileges.

Fast-forward to November 22, 2021, when after investigating the patch, the researcher that discovered the vulnerability, Abdelhamid Naceri, found that it did not fully remediate the issue and published proof-of-concept (PoC) code on GitHub proving exploitation of the vulnerability is still possible on patched versions of Windows allowing for SYSTEM-level privileges. The working PoC “overwrites Microsoft Edge elevation service ‘DACL’ and copies itself to the service location, then executes it to gain elevated privileges.”

With a zero-day exploit available, attackers have been chipping away at ways to utilize the vulnerability, especially in malware.

As of November 30, 2021, there is not an official patch from Microsoft to fully and effectively remediate this vulnerability. Community researchers and security practitioners have noted that other Microsoft zero-day vulnerabilities this year, such as CVE-2021-36934 (“HiveNightmare”/”SeriousSAM”), were not fixed until typical Patch Tuesday release cycles even if public exploit code had already made an appearance. We expect that this vulnerability will follow that same pattern and that we won’t see a new patch (and/or a new CVE, if Microsoft does indeed classify this as a patch bypass) until December 2021’s Patch Tuesday.

Affected versions

According to the researcher, all supported versions of Windows, including Windows 11 and Server 2022, are vulnerable to the exploit.

Guidance

With no official patch at this time, we recommend that organizations prepare to patch this as soon as the official fix is released. Meanwhile, Rapid7 researchers have confirmed that a number of antimalware programs have added detection of Naceri’s exploit, so as usual, keep those programs up to date. Lastly, organizations can detect previous exploitation of this PoC by monitoring for EventID 1033 and “test pkg” (keeping in mind that the “test pkg” will only find this exact PoC and may be modified by more enterprising attackers).
(Please see the Updates section regarding the latest on AV detection of this exploit).

Rapid7 customers

For Rapid7 InsightVM customers, we will be releasing vulnerability checks if and when Microsoft publishes patch information for the new vulnerability.

In the meantime, InsightVM customers can use Query Builder to find Windows assets by creating the following query: os.family contains windows. Rapid7 Nexpose customers can create a Dynamic Asset Group based on a filtered asset search for OS contains windows.

Updates

[December 3, 2021]
Rapid7 has published an in-depth technical analysis on AttackerKB that includes a streamlined, more functional PoC. Also, of note, is our research shows that attackers using this exploit can easily evade detection by AV.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Subscribe