CVE-2021-24077

Q: What is the severity of CVE-2021-24077?

CVE-2021-24077 has a CVSS score of 9.8 (CRITICAL). CVE-2021-24077 is a critical remote code execution vulnerability in the Windows Fax Service that allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges on affected systems. This affects Windows servers and workstations running vulnerable versions with the Fax Service enabled. Successful exploitation gives attackers complete control over the target system.

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

CVE-2021-24077 is a critical remote code execution vulnerability in the Windows Fax Service that allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges on affected systems. This affects Windows servers and workstations running vulnerable versions with the Fax Service enabled. Successful exploitation gives attackers complete control over the target system.

💻 Affected Systems

Products:

Windows Server
Windows 10
Windows 8.1
Windows 7

Versions: Multiple Windows versions including Windows Server 2019, 2016, 2012 R2, 2008 R2; Windows 10 versions 20H2, 2004, 1909, 1809, 1607; Windows 8.1; Windows 7 SP1

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if Windows Fax Service is installed and running. Not installed by default on Windows Server, but may be present on workstations or if Fax Server role is added.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal data, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Ransomware deployment, data exfiltration, or creation of backdoors for persistent network access.

🟢

If Mitigated

Limited impact if Fax Service is disabled or systems are properly segmented with network controls.

🌐 Internet-Facing: HIGH if Fax Service is exposed to internet, as exploit requires no authentication.

🏢 Internal Only: HIGH for internal systems with Fax Service enabled, as lateral movement is possible once initial access is gained.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit code is publicly available and requires no authentication. Microsoft confirmed active exploitation in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: February 2021 security updates (KB4601319, KB4601345, etc. depending on Windows version)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077

Restart Required: Yes

Instructions:

1. Apply February 2021 Windows security updates from Windows Update or Microsoft Update Catalog. 2. Restart affected systems. 3. Verify Fax Service is updated to patched version.

🔧 Temporary Workarounds

Disable Windows Fax Service

windows

Stop and disable the Fax Service to prevent exploitation

sc stop Fax
sc config Fax start= disabled

Block Fax Service Ports

windows

Block network access to Fax Service ports (typically TCP 2000-2001)

netsh advfirewall firewall add rule name="Block Fax Service" dir=in action=block protocol=TCP localport=2000-2001

🧯 If You Can't Patch

Disable Windows Fax Service immediately using administrative tools or PowerShell
Implement network segmentation to isolate systems with Fax Service from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check if Fax Service is running: Get-Service Fax | Select Status, StartType. If running and system is unpatched, it's vulnerable.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify February 2021 security updates are installed: Get-HotFix -Id KB4601319, KB4601345, or relevant KB for your Windows version.

📡 Detection & Monitoring

Log Indicators:

Event ID 7036 for Fax Service stopping/starting unexpectedly
Windows Security logs showing process creation from Fax Service
Application logs with Fax Service errors

Network Indicators:

Unusual connections to TCP port 2000-2001
Network traffic to Fax Service from unexpected sources

SIEM Query:

source="Windows Security" event_id=4688 process_name="*fax*" OR parent_process_name="*fax*"

📊 Metadata

CVE ID: CVE-2021-24077

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: February 25, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Windows Fax Service

Block Fax Service Ports

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export