CVE-2021-1661

Q: What is the severity of CVE-2021-1661?

CVE-2021-1661 has a CVSS score of 7.8 (HIGH). CVE-2021-1661 is a Windows Installer elevation of privilege vulnerability that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. This affects Windows systems where an attacker has local access and can run specially crafted installer packages. The vulnerability exploits improper handling of file operations during installation.

7.8 HIGH

📋 TL;DR

CVE-2021-1661 is a Windows Installer elevation of privilege vulnerability that allows authenticated attackers to execute arbitrary code with SYSTEM privileges. This affects Windows systems where an attacker has local access and can run specially crafted installer packages. The vulnerability exploits improper handling of file operations during installation.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10 versions 1809, 1909, 2004, 20H2; Windows Server 2019, 2022

Operating Systems: Windows 10, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access and ability to execute installer packages. Windows Installer service must be running.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data exfiltration.

🟠

Likely Case

Local privilege escalation from standard user to SYSTEM, allowing attackers to bypass security controls, install malicious software, or modify system configurations.

🟢

If Mitigated

Limited impact with proper privilege separation, application whitelisting, and endpoint protection that blocks suspicious installer activities.

🌐 Internet-Facing: LOW - Requires local access and authentication; not directly exploitable over network.

🏢 Internal Only: HIGH - Significant risk in environments with unpatched Windows systems where users have local access and can run installer packages.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local authenticated access. Proof-of-concept code has been published demonstrating privilege escalation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2021 security updates (KB4598242, KB4598229, etc.)

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1661

Restart Required: Yes

Instructions:

1. Apply January 2021 Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Restrict Windows Installer Service

windows

Disable or restrict Windows Installer service for non-administrative users

sc config msiserver start= disabled
Set-Service -Name msiserver -StartupType Disabled

Application Control Policies

windows

Implement application whitelisting to block unauthorized installer execution

🧯 If You Can't Patch

Implement least privilege principles - ensure users run with minimal necessary permissions
Deploy endpoint detection and response (EDR) solutions to monitor for suspicious installer activity

🔍 How to Verify

Check if Vulnerable:

Check Windows version and compare with patched versions. Vulnerable if running affected versions without January 2021 updates.

Check Version:

wmic os get caption, version, buildnumber

Verify Fix Applied:

Verify Windows Update history contains January 2021 security updates (KB4598242 or equivalent). Check system is running patched OS version.

📡 Detection & Monitoring

Log Indicators:

Windows Installer service logs showing unexpected privilege escalation
Event ID 11707 in Windows Installer logs
Unexpected SYSTEM privilege processes spawned from user contexts

Network Indicators:

Not applicable - local exploitation only

SIEM Query:

source="Windows Security" EventID=4688 NewProcessName="*installer*" AND TokenElevationType="%%1938"

📊 Metadata

CVE ID: CVE-2021-1661

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-665

Published: January 12, 2021

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Windows Installer Service

Application Control Policies

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities