CVE-2021-31165
📋 TL;DR
This vulnerability allows an authenticated attacker to escalate privileges on Windows systems by exploiting a flaw in the Container Manager Service. Attackers can gain SYSTEM-level access by sending specially crafted RPC calls. It affects Windows 10 and Windows Server systems with the Container feature enabled.
💻 Affected Systems
- Windows 10
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
Windows 10 by Microsoft
Windows 10 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full SYSTEM-level compromise of the host, allowing complete control over the system, installation of malware, credential theft, and lateral movement across the network.
Likely Case
Privilege escalation from a standard user or service account to SYSTEM, enabling persistence, data exfiltration, and further exploitation of the compromised system.
If Mitigated
Limited impact if proper network segmentation, least privilege principles, and endpoint protection are in place, though local privilege escalation remains possible.
🎯 Exploit Status
Public proof-of-concept code exists on Packet Storm. Exploitation requires authenticated access but is relatively straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2021 security updates (KB5003173 for Windows 10 20H2, KB5003197 for Windows 10 2004, etc.)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31165
Restart Required: Yes
Instructions:
1. Apply the May 2021 Windows security updates from Microsoft. 2. Restart the system. 3. Verify the update is installed via Windows Update history or system information.
🔧 Temporary Workarounds
Disable Windows Containers feature
windowsRemove or disable the Container Manager Service if not required for operations
Disable-WindowsOptionalFeature -Online -FeatureName Containers
Restart-Computer
Restrict RPC access
windowsUse Windows Firewall to block unnecessary RPC traffic to the Container Manager Service
New-NetFirewallRule -DisplayName "Block Container Manager RPC" -Direction Inbound -Protocol TCP -LocalPort 135 -Action Block
🧯 If You Can't Patch
- Implement strict network segmentation to isolate systems with Windows Containers enabled
- Enforce least privilege principles and monitor for unusual privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if Windows Containers feature is installed: Get-WindowsOptionalFeature -Online -FeatureName Containers | Select-Object StateCheck Version:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify May 2021 security updates are installed: Get-HotFix | Where-Object {$_.HotFixID -like "KB5003*"}📡 Detection & Monitoring
Log Indicators:
- Unusual RPC calls to Container Manager Service (CmsRpcSrv)
- Process creation with SYSTEM privileges from non-SYSTEM accounts
- Event ID 4688 with elevated privileges
Network Indicators:
- RPC traffic to port 135/TCP associated with Container Manager Service from unexpected sources
SIEM Query:
EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1938"🔗 References
- http://packetstormsecurity.com/files/162555/Windows-Container-Manager-Service-CmsRpcSrv_CreateContainer-Privilege-Escalation.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31165
- http://packetstormsecurity.com/files/162555/Windows-Container-Manager-Service-CmsRpcSrv_CreateContainer-Privilege-Escalation.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31165
