• Home
  • |
  • Blog
  • |
  • Workaround For The New Local Privilege Elevation Found In The CVE-2021-41379 Patch
Workaround for the New Local Privilege Elevation Found in the CVE-2021-41379 Patch

Recently, security researchers discovered a new Local Privilege Elevation (LPE) vulnerability found in the patch released to fix the CVE-2021-41379 vulnerability. Microsoft released the patch in its November months patch to fix the CVE-2021-41379 vulnerability is not sufficient. Research says that an attacker can bypass the patch, which allows him to gain admin privilege from a normal user. Let’s see the best available Workaround for the New Local Privilege Elevation Found in the CVE-2021-41379 patch.

Initially, the CVE-2021-41379 vulnerability is categorized as medium severity vulnerability with a CVSS of 5.5. After the release of PoC, we could see an appreciation in the CVSS score. 

Versions Of Windows Affected By The New Local Privilege Elevation Vulnerability:

This vulnerability affects most likely every version, including Windows 10, Windows 11, and Windows Server 2022. of fully patched Windows operating systems. However, this may not affect servers that don’t have elevation service, such as Windows server 2016 and 2019.

PoC Of The New Local Privilege Elevation Vulnerability:

According to the security researcher Abdelhamid Naceri, who initially discovered the elevation of privilege vulnerability which is being tracked as CVE-2021-41379, is not fully patched. On 9th Nov, what Microsoft released the patch as part of its monthly security updates is not sufficient. An attacker can still abuse the patch to gain admin privilege on the Windows machine.

PoC Published by Abdelhamid Naceri

A Proof of Concept is published on the public Github repository to make sure the bug was not fixed correctly. The PoC is extremely reliable and doesn’t require anything to test. “The proof of concept overwrite Microsoft Edge elevation service DACL and copy itself to the service location and execute it to gain elevated privileges. I deliberately left the code which takes over the file open, so any file specified in the first argument will be taken over with the condition that SYSTEM account must have access to it and the file mustn’t be in use. So you can elevate your privileges yourself.

Workaround For The New Local Privilege Elevation Found In The CVE-2021-41379 Patch:

At the time of publishing this post, no official patches were released to fix the New Local Privilege Elevation Vulnerability Found in the CVE-2021-41379 patch. The best possible workaround at the movement would be to implement firewall rules to protect from the exploitation of this vulnerability. Talos intelligence published on their blog that Cisco Secure Firewall customers can use the latest update to their ruleset by updating their SRU. Snort.org recommended their customers to stay up to date by downloading the latest rule pack as Snort has published two new rules tracked as SIDs 58635 and 58636 to protect their users from the exploitation of this new LPA vulnerability.

We hope this post will help you in knowing the best available Workaround for the New Local Privilege Elevation Found in the CVE-2021-41379 patch. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.