CVE-2021-31168
📋 TL;DR
This vulnerability allows local attackers to escalate privileges on Windows systems by exploiting a flaw in the Container Manager Service. Attackers can gain SYSTEM-level privileges by abusing the CmsRpcSrv_MapVirtualDiskToContainer function. This affects Windows systems with Container Manager Service enabled.
💻 Affected Systems
- Windows Container Manager Service
📦 What is this software?
Windows 10 by Microsoft
Windows 10 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing attackers to install programs, view/change/delete data, or create new accounts with full user rights.
Likely Case
Local privilege escalation from a standard user account to SYSTEM privileges, enabling lateral movement and persistence establishment.
If Mitigated
Limited impact if proper access controls and monitoring are in place, though privilege escalation could still occur if initial access is gained.
🎯 Exploit Status
Exploit code is publicly available on Packet Storm Security. Attack requires local access to the system but is relatively straightforward to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: May 2021 security updates (KB5003173 for Windows 10 2004/20H2/21H1, KB5003197 for Windows Server 2022)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31168
Restart Required: Yes
Instructions:
1. Apply May 2021 Windows security updates through Windows Update. 2. For enterprise environments, deploy updates via WSUS or SCCM. 3. Restart affected systems after patch installation.
🔧 Temporary Workarounds
Disable Container Manager Service
windowsStop and disable the vulnerable Container Manager Service if not required
sc stop cmsvc
sc config cmsvc start= disabled
🧯 If You Can't Patch
- Implement strict access controls to limit local user privileges
- Monitor for suspicious activity related to Container Manager Service and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if Container Manager Service is running: sc query cmsvc. Also verify Windows version with winver command.Check Version:
winver or systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify May 2021 security updates are installed: wmic qfe list | findstr KB5003173 or KB5003197📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with process creation for Container Manager Service
- Unusual privilege escalation events in Security logs
- Suspicious RPC calls to CmsRpcSrv_MapVirtualDiskToContainer
Network Indicators:
- Local RPC traffic to Container Manager Service from non-standard processes
SIEM Query:
EventID=4688 AND (NewProcessName="*cmsvc*" OR CommandLine="*MapVirtualDiskToContainer*")🔗 References
- http://packetstormsecurity.com/files/162556/Windows-Container-Manager-Service-CmsRpcSrv_MapVirtualDiskToContainer-Privilege-Escalation.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31168
- http://packetstormsecurity.com/files/162556/Windows-Container-Manager-Service-CmsRpcSrv_MapVirtualDiskToContainer-Privilege-Escalation.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31168
