CVE-2021-28313 – CVE-2021-28313 is an elevation of privilege vul... (How to Fix)

Q: What is the severity of CVE-2021-28313?

CVE-2021-28313 has a CVSS score of 7.8 (HIGH). CVE-2021-28313 is an elevation of privilege vulnerability in Microsoft's Diagnostics Hub Standard Collector Service. It allows authenticated attackers to execute arbitrary code with SYSTEM privileges by exploiting improper privilege management. This affects Windows systems where the Diagnostics Hub service is enabled.

📋 TL;DR

CVE-2021-28313 is an elevation of privilege vulnerability in Microsoft's Diagnostics Hub Standard Collector Service. It allows authenticated attackers to execute arbitrary code with SYSTEM privileges by exploiting improper privilege management. This affects Windows systems where the Diagnostics Hub service is enabled.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10 versions 1809, 1909, 2004, 20H2, and Windows Server 2019, 20H2

Operating Systems: Windows 10, Windows Server 2019, Windows Server 20H2

Default Config Vulnerable: ⚠️ Yes

Notes: Diagnostics Hub Standard Collector Service is enabled by default on affected Windows versions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass security controls and maintain persistence.

🟢

If Mitigated

Limited impact with proper patch management and least privilege principles, though still a significant risk if exploited.

🌐 Internet-Facing: LOW - Requires local access or authenticated remote access to exploit.

🏢 Internal Only: HIGH - Significant risk for internal networks where attackers can gain initial access through phishing or other means.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated user access. Public proof-of-concept code is available, making exploitation straightforward for attackers with initial access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: April 2021 security updates (KB5001330 for Windows 10 20H2, KB5001337 for Windows 10 2004, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28313

Restart Required: Yes

Instructions:

1. Apply the April 2021 Windows security updates from Windows Update. 2. For enterprise environments, deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Disable Diagnostics Hub Service

windows

Disable the vulnerable service to prevent exploitation.

sc stop diagsvc
sc config diagsvc start= disabled

🧯 If You Can't Patch

Implement strict least privilege principles to limit standard user access
Monitor for suspicious service execution and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and if April 2021 security updates are installed. Vulnerable if running affected versions without patches.

Check Version:

winver or systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5001330 (or equivalent for your version) is installed via 'wmic qfe list' or 'Get-Hotfix -Id KB5001330' in PowerShell.

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with process creation from diaghost.exe or diagtrackrunner.exe with elevated privileges
Unexpected service starts for Diagnostics Hub Standard Collector

Network Indicators:

Unusual outbound connections from system processes post-exploitation

SIEM Query:

EventID=4688 AND (NewProcessName="*diaghost.exe" OR NewProcessName="*diagtrackrunner.exe") AND IntegrityLevel="System"

📊 Metadata

CVE ID: CVE-2021-28313

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: April 13, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/162251/Microsoft-DiagHub-Privilege-Escalation.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/Apr/40 Mailing List,Third Party Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28313 Patch,Vendor Advisory
http://packetstormsecurity.com/files/162251/Microsoft-DiagHub-Privilege-Escalation.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/Apr/40 Mailing List,Third Party Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28313 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28313, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Visual Studio by Microsoft

Visual Studio 2017 by Microsoft

Visual Studio 2019 by Microsoft

Visual Studio 2019 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Diagnostics Hub Service

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities