CVE-2021-22000 – CVE-2021-22000 is a DLL hijacking vulnerability... (How to Fix)

Q: What is the severity of CVE-2021-22000?

CVE-2021-22000 has a CVSS score of 7.8 (HIGH). CVE-2021-22000 is a DLL hijacking vulnerability in VMware ThinApp that allows attackers with local non-administrative access to execute arbitrary code with elevated privileges. This affects Windows systems running vulnerable versions of VMware ThinApp. Successful exploitation could lead to full system compromise.

📋 TL;DR

CVE-2021-22000 is a DLL hijacking vulnerability in VMware ThinApp that allows attackers with local non-administrative access to execute arbitrary code with elevated privileges. This affects Windows systems running vulnerable versions of VMware ThinApp. Successful exploitation could lead to full system compromise.

💻 Affected Systems

Products:

VMware ThinApp

Versions: 5.x prior to 5.2.10

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local access to the Windows system with non-administrative privileges. The vulnerability exists in how ThinApp loads DLLs from insecure locations.

📦 What is this software?

Thinapp by Vmware

View all CVEs affecting Thinapp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrator privileges, allowing installation of persistent malware, credential theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation leading to administrative control of the affected Windows system, enabling further attacks within the environment.

🟢

If Mitigated

Limited impact if proper access controls and monitoring are in place, though local privilege escalation remains possible.

🌐 Internet-Facing: LOW - This requires local access to the system, not directly exploitable over the network.

🏢 Internal Only: HIGH - Attackers with initial access to a vulnerable system can escalate privileges and potentially compromise the entire Windows environment.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and knowledge of DLL placement. Public proof-of-concept code is available, making exploitation straightforward for attackers with initial access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.10

Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2021-0015.html

Restart Required: Yes

Instructions:

1. Download VMware ThinApp version 5.2.10 or later from VMware's official website. 2. Uninstall the vulnerable version. 3. Install the patched version. 4. Restart the system to ensure all changes take effect.

🔧 Temporary Workarounds

Restrict DLL search path

windows

Configure Windows to restrict DLL search paths and prevent loading from insecure locations

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -Name 'SafeDllSearchMode' -Value 1
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager' -Name 'CWDIllegalInDllSearch' -Value 1

Remove vulnerable ThinApp versions

windows

Uninstall vulnerable versions of VMware ThinApp if not required

appwiz.cpl
Select VMware ThinApp and click Uninstall

🧯 If You Can't Patch

Implement strict access controls to limit local user privileges and prevent unauthorized local access
Deploy application whitelisting to prevent execution of unauthorized DLLs and monitor for suspicious DLL loading behavior

🔍 How to Verify

Check if Vulnerable:

Check the installed version of VMware ThinApp via Control Panel > Programs and Features or using PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*ThinApp*'} | Select-Object Name, Version

Check Version:

Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*ThinApp*'} | Select-Object Version

Verify Fix Applied:

Verify the installed version is 5.2.10 or later using the same method as checking vulnerability

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing DLL loading from unusual locations
Process creation events for ThinApp with suspicious parent processes
Failed DLL loading attempts from non-standard paths

Network Indicators:

Unusual outbound connections from systems running ThinApp
Lateral movement attempts following privilege escalation

SIEM Query:

EventID=4688 AND (NewProcessName LIKE '%thinapp%' OR NewProcessName LIKE '%vmware%') AND ParentProcessName NOT IN ('explorer.exe', 'svchost.exe')

📊 Metadata

CVE ID: CVE-2021-22000

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-427

Published: July 13, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/163521/VMware-ThinApp-DLL-Hijacking.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/Jul/35 Exploit,Mailing List,Technical Description,Third Party Advisory
https://www.vmware.com/security/advisories/VMSA-2021-0015.html Patch,Vendor Advisory
http://packetstormsecurity.com/files/163521/VMware-ThinApp-DLL-Hijacking.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/Jul/35 Exploit,Mailing List,Technical Description,Third Party Advisory
https://www.vmware.com/security/advisories/VMSA-2021-0015.html Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22000, you might also want to check these: