CVE-2021-28321 – CVE-2021-28321 is an elevation of privilege vul... (How to Fix)

Q: What is the severity of CVE-2021-28321?

CVE-2021-28321 has a CVSS score of 7.8 (HIGH). CVE-2021-28321 is an elevation of privilege vulnerability in Microsoft's Diagnostics Hub Standard Collector Service. It allows authenticated attackers to execute arbitrary code with SYSTEM privileges by exploiting improper symbolic link handling. This affects Windows systems with the vulnerable service installed.

📋 TL;DR

CVE-2021-28321 is an elevation of privilege vulnerability in Microsoft's Diagnostics Hub Standard Collector Service. It allows authenticated attackers to execute arbitrary code with SYSTEM privileges by exploiting improper symbolic link handling. This affects Windows systems with the vulnerable service installed.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10 versions 1809, 1909, 2004, 20H2; Windows Server 2019, 20H2

Operating Systems: Windows 10, Windows Server 2019, Windows Server 20H2

Default Config Vulnerable: ⚠️ Yes

Notes: Diagnostics Hub Standard Collector Service (DiagHub) is installed by default on affected Windows versions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling installation of malware, data theft, lateral movement, and persistence mechanisms.

🟠

Likely Case

Privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass security controls and install additional payloads.

🟢

If Mitigated

Limited impact if proper access controls, least privilege principles, and network segmentation are implemented.

🌐 Internet-Facing: LOW - Exploitation requires local authenticated access, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a system, they can exploit this to escalate privileges and move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available and relatively simple to execute. Requires authenticated user access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: April 2021 security updates (KB5001330 for Windows 10 20H2, KB5001337 for Windows 10 2004, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28321

Restart Required: Yes

Instructions:

1. Apply April 2021 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Disable Diagnostics Hub Service

windows

Disable the vulnerable Diagnostics Hub Standard Collector Service to prevent exploitation.

sc config diagsvc start= disabled
sc stop diagsvc

Remove Service Permissions

windows

Modify service permissions to restrict access to the Diagnostics Hub service.

sc sdset diagsvc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

🧯 If You Can't Patch

Disable the Diagnostics Hub Standard Collector Service using administrative tools
Implement strict access controls and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if Diagnostics Hub Service (diagsvc) is running and Windows version is affected: sc query diagsvc and winver

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify April 2021 security updates are installed: wmic qfe list | findstr KB5001330 (or relevant KB)

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with process creation from diaghost.exe with unusual parent processes
Service control manager events for diagsvc service

Network Indicators:

Unusual outbound connections from systems after privilege escalation

SIEM Query:

EventID=4688 AND (NewProcessName="*diaghost.exe" OR ParentProcessName="*diaghost.exe")

📊 Metadata

CVE ID: CVE-2021-28321

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-59

Published: April 13, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/162251/Microsoft-DiagHub-Privilege-Escalation.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/Apr/40 Mailing List,Third Party Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28321 Patch,Vendor Advisory
http://packetstormsecurity.com/files/162251/Microsoft-DiagHub-Privilege-Escalation.html Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/Apr/40 Mailing List,Third Party Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-28321 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28321, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Visual Studio by Microsoft

Visual Studio 2017 by Microsoft

Visual Studio 2019 by Microsoft

Visual Studio 2019 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Diagnostics Hub Service

Remove Service Permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities