CVE-2021-31859
📋 TL;DR
This vulnerability allows local users on systems running YSoft SafeQ 6 to escalate privileges by overwriting the MU55 FlexiSpooler service executable via alternative data streams. Attackers can gain SYSTEM-level access by exploiting incorrect file permissions. Only organizations using YSoft SafeQ 6 version 6.0.55 are affected.
💻 Affected Systems
- YSoft SafeQ 6
📦 What is this software?
Safeq by Ysoft
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains SYSTEM privileges, enabling complete system compromise, data theft, installation of persistent malware, and lateral movement across the network.
Likely Case
Local user or malware with initial access escalates to SYSTEM to install additional payloads, disable security controls, and maintain persistence on the compromised system.
If Mitigated
With proper access controls and monitoring, exploitation would be detected and contained before significant damage occurs.
🎯 Exploit Status
Exploitation requires local user access but uses simple file permission bypass techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 6.0.55
Vendor Advisory: https://www.ysoft.com/en/legal/ysoft-safeq-flexispooler
Restart Required: Yes
Instructions:
1. Download latest YSoft SafeQ 6 version from vendor portal. 2. Backup current configuration. 3. Run installer to upgrade. 4. Restart affected systems. 5. Verify service is running with correct permissions.
🔧 Temporary Workarounds
Restrict file permissions on FlexiSpooler executable
windowsManually set proper ACLs to prevent unauthorized modification of the MU55 FlexiSpooler service executable.
icacls "C:\Program Files\YSoft\SafeQ\FlexiSpooler\MU55FlexiSpooler.exe" /inheritance:r /grant "SYSTEM:(F)" /grant "Administrators:(F)" /deny "Users:(M)"
Disable alternative data streams
windowsConfigure systems to prevent creation of alternative data streams which are used in the exploit.
fsutil behavior set disablelastaccess 1
Implement Group Policy to restrict ADS creation
🧯 If You Can't Patch
- Isolate affected systems from critical network segments.
- Implement strict access controls and monitoring on systems running vulnerable versions.
🔍 How to Verify
Check if Vulnerable:
Check YSoft SafeQ version in Control Panel > Programs and Features. If version is 6.0.55, system is vulnerable.Check Version:
wmic product where "name like 'YSoft SafeQ%'" get versionVerify Fix Applied:
Verify version is greater than 6.0.55 and check file permissions on MU55FlexiSpooler.exe using: icacls "C:\Program Files\YSoft\SafeQ\FlexiSpooler\MU55FlexiSpooler.exe"📡 Detection & Monitoring
Log Indicators:
- Unexpected modifications to MU55FlexiSpooler.exe in Windows Security logs
- Service restart events for FlexiSpooler service
- Creation of alternative data streams on executable files
Network Indicators:
- Unusual outbound connections from print servers
- Lateral movement attempts from print server systems
SIEM Query:
EventID=4663 AND ObjectName LIKE '%MU55FlexiSpooler.exe%' AND Accesses='WRITE_DAC' OR Accesses='WRITE_OWNER'