CVE-2021-24081 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2021-24081?

CVE-2021-24081 has a CVSS score of 7.8 (HIGH). This vulnerability allows remote code execution through specially crafted image files processed by Microsoft Windows Codecs Library. Attackers can exploit this by tricking users into opening malicious images or by hosting them on websites. All Windows systems using the vulnerable codecs are affected.

📋 TL;DR

This vulnerability allows remote code execution through specially crafted image files processed by Microsoft Windows Codecs Library. Attackers can exploit this by tricking users into opening malicious images or by hosting them on websites. All Windows systems using the vulnerable codecs are affected.

💻 Affected Systems

Products:

Microsoft Windows Codecs Library

Versions: Windows 10 versions 1909, 2004, 20H2, and Windows Server 2019, 20H2

Operating Systems: Windows 10, Windows Server 2019, Windows Server 20H2

Default Config Vulnerable: ⚠️ Yes

Notes: Affects HEVC Video Extensions and HEIF Image Extensions. Systems with these codecs installed via Microsoft Store are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining SYSTEM privileges, enabling data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation leading to lateral movement within networks, credential harvesting, and installation of malware.

🟢

If Mitigated

Limited impact with proper application whitelisting, restricted user privileges, and network segmentation preventing lateral movement.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious image) but can be delivered via web pages or email attachments.

🏢 Internal Only: HIGH - Once inside network, attackers can exploit this for lateral movement and privilege escalation across Windows systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user interaction to open malicious image file. No publicly available exploit code as of last update.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security Update February 2021 (KB4601319 for Windows 10 20H2, KB4601315 for Windows 10 2004, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24081

Restart Required: Yes

Instructions:

1. Apply Windows Update from Microsoft. 2. Install Security Update February 2021. 3. Restart system. 4. Verify update installation via Windows Update history.

🔧 Temporary Workarounds

Disable HEIF/HEVC Codecs

windows

Remove or disable vulnerable HEIF Image Extensions and HEVC Video Extensions

Remove-AppxPackage Microsoft.HEVCVideoExtension
Remove-AppxPackage Microsoft.HEIFImageExtension

Restrict Image Processing

windows

Configure Group Policy to restrict processing of untrusted image files

🧯 If You Can't Patch

Implement application whitelisting to prevent execution of unauthorized code
Restrict user privileges to standard accounts and implement network segmentation

🔍 How to Verify

Check if Vulnerable:

Check if HEIF Image Extensions or HEVC Video Extensions are installed via PowerShell: Get-AppxPackage | Where-Object {$_.Name -like '*HEIF*' -or $_.Name -like '*HEVC*'}

Check Version:

winver or systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify Windows Update KB4601319 (or equivalent) is installed via: Get-HotFix -Id KB4601319

📡 Detection & Monitoring

Log Indicators:

Windows Event Logs showing crashes in heif.dll or hevc.dll
Application errors from Windows Codecs Library

Network Indicators:

Unusual outbound connections after image file processing
SMB traffic from unexpected systems

SIEM Query:

EventID=1000 AND Source="Application Error" AND ("heif.dll" OR "hevc.dll")

📊 Metadata

CVE ID: CVE-2021-24081

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: February 25, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24081 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24081 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24081, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable HEIF/HEVC Codecs

Restrict Image Processing

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities