Application Security , Governance & Risk Management , Next-Generation Technologies & Secure Development
Report: No Patch for Microsoft Privilege Escalation Zero-Day
Flaw Initially Reported in October 2020; Unofficial Patches Are AvailableA Microsoft zero-day vulnerability tracked as CVE-2021-24084 has not been fixed by the technology giant despite having been reported months ago, according to independent security researcher Abdelhamid Naceri.
See Also: Datto RMM: A Security-First Solution
To protect users from this local privilege escalation and information disclosure zero-day vulnerability in the Mobile Device Management Service of specific Windows 10 systems, a micropatching service, 0patch, has issued unofficial, free patches.
Timeline, Bug Details
The information disclosure bug CVE-2021-24084 was initially reported to Microsoft through the company's Zero Day Initiative in October 2020, Naceri says.
He states that Microsoft acknowledged the vulnerability and said a fix would be issued in April 2021, but that the vulnerability persisted with no updates on any Patch Tuesdays so far.
In addition to the previously reported information disclosure issue, Naceri says that since November 2021, the unpatched vulnerability now includes a local privilege escalation.
I mean this is still unpatched and allow LPE if shadow volume copies are enabled;
— Abdelhamid Naceri (@KLINIX5) November 15, 2021
But I noticed that it doesn't work on windows 11 https://t.co/HJcZ6ew8PO
"Namely, as HiveNightmare/SeriousSAM has taught us, an arbitrary file disclosure can* be upgraded to local privilege escalation if you know which files to take and what to do with them. We confirmed this by using the procedure described in this blog post by Raj Chandel in conjunction with Abdelhamid's bug - and being able to run code as local administrator," says Mitja Kolsek, co-founder of 0patch.
Kolsek adds that at least two conditions need to be met for the local privilege escalation to work.
"First, system protection must be enabled on drive C, and one restore point created. Whether system protection is enabled or disabled by default depends on various parameters. The second is at least one local administrator account must be enabled on the computer, or at least one 'Administrators' group member's credentials cached," Kolsek says.
The flaw found under the "Access work or school" settings can only be triggered by clicking on "export your management log files" and confirming by pressing "export," he says.
"At that point, the Device Management Enrollment Service is triggered, running as Local System. This service first copies some log files to the MDM Diagnostics folder, and then packages them into a CAB file whereby they're temporarily copied to Temp folder. The resulting CAB file is then stored in the MDM Diagnostics folder, where the user can freely access it," Kolsek notes.
He highlights that while copying the CAB file to the Temp folder is vulnerable, a local attacker could create a soft link with a predictable file name used in routine export processes, directing to some file or folder that the attacker would want to have copied, in a location accessible to the attacker.
"Since the Device Management Enrollment Service runs as Local System, it can read any system file that the attacker can't," Kolsek notes.
Patches
0patch researchers have, for now, released free, unofficial patches to the vulnerability affecting 32- and 64-bit versions of Windows 10 v21H1, Windows 10 v20H2, Windows 10 v2004, Windows 10 v1909, Windows 10 v1903 and Windows 10 v1809.
"Windows servers are not affected, as the vulnerable functionality does not exist there. While some similar diagnostics tools exist on servers, they are being executed under the launching user's identity, and therefore cannot be exploited," Kolsek notes.
"Windows 10 v1803 and older Windows 10 versions don't seem to be affected either. While they do have the 'Access work or school' functionality, it behaves differently and cannot be exploited this way. Windows 7 does not have the 'Access work or school' functionality at all," he adds.
Microsoft did not immediately respond to Information Security Media Group's request for additional details.
Patch Backlog?
Microsoft's Nov. 11 Patch Tuesday covered a total 55 security fixes, six of which were zero-day vulnerabilities, with two flaws that were being actively exploited in the wild (see: 55 Patches, 6 Zero Days - Is There a Backlog at Microsoft?).
Zero Day Initiative's Dustin Childs said at the time that this was a relatively low number.
"Last year, there were more than double this number of CVEs fixed. Even going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs fixed than in this month. Given that December is typically a slower month patch-wise, it causes one to wonder if there is a backlog of patches awaiting deployment due to various factors," said Childs.