CVE-2021-25261
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Yandex Browser for Windows. A local attacker with low privileges can manipulate symbolic links during the browser update process to execute arbitrary code with SYSTEM privileges. Only Windows users running vulnerable versions of Yandex Browser are affected.
💻 Affected Systems
- Yandex Browser
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges on the Windows machine, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement capabilities.
Likely Case
Local malware or malicious user escalates privileges to install additional malware, steal credentials, or bypass security controls on the affected system.
If Mitigated
Attack fails due to updated browser version, proper file permissions, or security software detecting symbolic link manipulation attempts.
🎯 Exploit Status
Requires local access and ability to create symbolic links. Exploitation involves timing manipulation during the update process. No public exploit code has been disclosed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.5.0.862 and later
Vendor Advisory: https://yandex.com/bugbounty/i/hall-of-fame-browser/
Restart Required: Yes
Instructions:
1. Open Yandex Browser. 2. Click the menu button (three horizontal lines). 3. Select 'Settings'. 4. Click 'About Yandex Browser'. 5. The browser will automatically check for and install updates. 6. Restart the browser when prompted.
🔧 Temporary Workarounds
Disable automatic updates
windowsPrevents the vulnerable update process from being triggered automatically
Not applicable - configure through browser settings
Restrict symbolic link creation
windowsConfigure Windows security policy to prevent low-privilege users from creating symbolic links
gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> 'Create symbolic links' -> Remove Users group
🧯 If You Can't Patch
- Restrict local access to vulnerable systems and implement least privilege principles
- Deploy application control solutions to prevent unauthorized code execution
🔍 How to Verify
Check if Vulnerable:
Check Yandex Browser version: Open browser -> Menu -> Settings -> About Yandex Browser. If version is below 22.5.0.862, system is vulnerable.Check Version:
Not applicable - check through browser GUI as describedVerify Fix Applied:
Confirm browser version is 22.5.0.862 or higher using the same method. Verify no privilege escalation occurs during update process.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing symbolic link creation by low-privilege users during browser update times
- Process creation events showing unexpected SYSTEM privilege processes
Network Indicators:
- Not applicable - local exploitation only
SIEM Query:
Windows Event ID 4688 with Parent Process containing 'yandex' or 'browser' and New Process running as SYSTEM