Login Sign Up

CVE-2021-31204

7.3 HIGH

📋 TL;DR

CVE-2021-31204 is an elevation of privilege vulnerability in .NET Core and Visual Studio that allows authenticated attackers to execute arbitrary code with higher privileges than intended. This affects systems running vulnerable versions of .NET Core, .NET 5.0, and Visual Studio. The vulnerability requires an attacker to have some level of initial access to the system.

💻 Affected Systems

Products:
  • .NET Core
  • .NET 5.0
  • Visual Studio
Versions: .NET Core 3.1, .NET 5.0, Visual Studio 2019 version 16.9 and earlier
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. The vulnerability exists in the core runtime components.

📦 What is this software?

.net by Microsoft

View all CVEs affecting .net →

.net Core by Microsoft

View all CVEs affecting .net Core →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Visual Studio 2019 by Microsoft

View all CVEs affecting Visual Studio 2019 →

Visual Studio 2019 by Microsoft

View all CVEs affecting Visual Studio 2019 →

Visual Studio 2019 by Microsoft

View all CVEs affecting Visual Studio 2019 →

Visual Studio 2019 by Microsoft

View all CVEs affecting Visual Studio 2019 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with initial access could gain SYSTEM/root privileges, install malware, steal sensitive data, or pivot to other systems in the network.

🟠

Likely Case

Privilege escalation from a standard user account to administrator/root, allowing installation of unauthorized software or modification of system configurations.

🟢

If Mitigated

With proper access controls and least privilege principles, impact is limited to the compromised user's scope with no lateral movement.

🌐 Internet-Facing: LOW - This vulnerability requires local access or authenticated remote access to exploit.
🏢 Internal Only: MEDIUM - Internal users with standard privileges could escalate to administrative access on affected systems.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access to the system. No public proof-of-concept has been released as of the advisory dates.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: .NET Core 3.1.14, .NET 5.0.5, Visual Studio 2019 version 16.10

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31204

Restart Required: Yes

Instructions:

1. Download and install the latest security updates from Microsoft Update. 2. For .NET Core/.NET 5.0: Update to version 3.1.14 or 5.0.5 respectively. 3. For Visual Studio: Update to version 16.10 or later via Visual Studio Installer. 4. Restart affected systems after patching.

🔧 Temporary Workarounds

Restrict User Privileges

all

Implement least privilege access controls to limit potential damage from privilege escalation

Application Whitelisting

windows

Use application control solutions to prevent execution of unauthorized binaries

🧯 If You Can't Patch

  • Implement strict access controls and monitor for privilege escalation attempts
  • Isolate affected systems from critical network segments and implement network segmentation

🔍 How to Verify

Check if Vulnerable:

Check installed .NET version with 'dotnet --version' or Visual Studio version via Help > About

Check Version:

dotnet --version (for .NET) or check Visual Studio About dialog

Verify Fix Applied:

Verify version is .NET Core 3.1.14+, .NET 5.0.5+, or Visual Studio 16.10+

📡 Detection & Monitoring

Log Indicators:

  • Unexpected privilege escalation events
  • Process creation with higher privileges than expected
  • Security log events showing user privilege changes

Network Indicators:

  • Unusual outbound connections from elevated processes
  • Lateral movement attempts from recently compromised systems

SIEM Query:

EventID=4688 AND (NewProcessName contains 'powershell.exe' OR NewProcessName contains 'cmd.exe') AND SubjectUserName != SYSTEM AND TokenElevationType != '%%1936'

📊 Metadata

CVE ID: CVE-2021-31204
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Published: May 11, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON