CVE-2021-31776 – This vulnerability allows local privilege escal... (How to Fix)

Q: What is the severity of CVE-2021-31776?

CVE-2021-31776 has a CVSS score of 7.8 (HIGH). This vulnerability allows local privilege escalation to SYSTEM on Windows systems running vulnerable Aviatrix VPN Client versions. Attackers with local access can exploit an unquoted service path to execute arbitrary code with highest privileges. Only affects Windows installations with misconfigured directory permissions.

📋 TL;DR

This vulnerability allows local privilege escalation to SYSTEM on Windows systems running vulnerable Aviatrix VPN Client versions. Attackers with local access can exploit an unquoted service path to execute arbitrary code with highest privileges. Only affects Windows installations with misconfigured directory permissions.

💻 Affected Systems

Products:

Aviatrix VPN Client

Versions: Versions before 2.14.14

Operating Systems: Windows

Default Config Vulnerable: ✅ No

Notes: Requires misconfigured directory permissions allowing unprivileged users to write to administrator-restricted directories.

📦 What is this software?

Vpn Client by Aviatrix

View all CVEs affecting Vpn Client →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full SYSTEM privileges, enabling complete system compromise, credential theft, persistence establishment, and lateral movement capabilities.

🟠

Likely Case

Privileged user or malware with local access escalates to SYSTEM to bypass security controls, install backdoors, or access protected resources.

🟢

If Mitigated

With proper directory permissions restricting write access to administrators only, exploitation is prevented despite the unquoted path vulnerability.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access; not directly exploitable over the internet.

🏢 Internal Only: MEDIUM - Requires local access and misconfigured permissions; risk depends on internal security posture and user privileges.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and ability to write to specific directories; unquoted service path vulnerabilities are well-understood attack vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.14.14 and later

Vendor Advisory: https://docs.aviatrix.com/HowTos/changelog.html#aviatrix-vpn-client-changelog

Restart Required: Yes

Instructions:

1. Download Aviatrix VPN Client version 2.14.14 or later from official Aviatrix documentation. 2. Uninstall previous version. 3. Install updated version. 4. Restart system to ensure service updates take effect.

🔧 Temporary Workarounds

Secure Directory Permissions

windows

Ensure only administrators have write permissions to directories in the Aviatrix service path

icacls "C:\Program Files\Aviatrix" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Users:(OI)(CI)RX"

Quote Service Path

windows

Manually add quotes to the service path in Windows Registry

reg add "HKLM\SYSTEM\CurrentControlSet\Services\AviatrixVPNClient" /v ImagePath /t REG_EXPAND_SZ /d "\"C:\Program Files\Aviatrix\VPN Client\AviatrixVPNClient.exe\"" /f

🧯 If You Can't Patch

Implement strict directory permissions to prevent unprivileged users from writing to Aviatrix installation directories
Monitor for unauthorized file creation in Aviatrix directories and suspicious service modifications

🔍 How to Verify

Check if Vulnerable:

Check Aviatrix VPN Client version via Windows Programs and Features or run: wmic product where name="Aviatrix VPN Client" get version

Check Version:

wmic product where name="Aviatrix VPN Client" get version

Verify Fix Applied:

Confirm version is 2.14.14 or later and check service path is quoted in registry: reg query "HKLM\SYSTEM\CurrentControlSet\Services\AviatrixVPNClient" /v ImagePath

📡 Detection & Monitoring

Log Indicators:

Windows Event ID 4688 (process creation) showing execution from unexpected locations in Aviatrix directories
Unexpected service modifications or restarts
File creation events in Aviatrix program directories by non-admin users

Network Indicators:

None - this is a local privilege escalation vulnerability

SIEM Query:

EventID=4688 AND (ProcessName="*Aviatrix*" OR CommandLine="*Aviatrix*") AND SubjectUserName!="*SYSTEM*" AND SubjectUserName!="*Administrator*"

📊 Metadata

CVE ID: CVE-2021-31776

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-428

Published: April 29, 2021

Last Updated: November 21, 2024

🔗 References

https://docs.aviatrix.com/Downloads/samlclient.html Product,Vendor Advisory
https://docs.aviatrix.com/Downloads/samlclient.html#windows-win Product,Vendor Advisory
https://docs.aviatrix.com/HowTos/changelog.html#aviatrix-vpn-client-changelog Release Notes,Vendor Advisory
https://docs.aviatrix.com/Downloads/samlclient.html Product,Vendor Advisory
https://docs.aviatrix.com/Downloads/samlclient.html#windows-win Product,Vendor Advisory
https://docs.aviatrix.com/HowTos/changelog.html#aviatrix-vpn-client-changelog Release Notes,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31776, you might also want to check these: