CVE-2021-31958

Q: What is the severity of CVE-2021-31958?

CVE-2021-31958 has a CVSS score of 7.5 (HIGH). This vulnerability allows an attacker to exploit Windows NTLM authentication to elevate privileges on affected systems. It affects Windows operating systems where an attacker could gain SYSTEM-level access. This impacts all Windows users and administrators who haven't applied security updates.

7.5 HIGH

📋 TL;DR

This vulnerability allows an attacker to exploit Windows NTLM authentication to elevate privileges on affected systems. It affects Windows operating systems where an attacker could gain SYSTEM-level access. This impacts all Windows users and administrators who haven't applied security updates.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10 versions 2004, 20H2, 21H1; Windows Server 2019, 2022; earlier versions may also be affected

Operating Systems: Windows 10, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Systems with NTLM authentication enabled are vulnerable. Most Windows installations have NTLM enabled by default for compatibility.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing full control over the Windows machine, data theft, and lateral movement within the network.

🟠

Likely Case

Local privilege escalation from a standard user account to SYSTEM privileges, enabling installation of malware, credential theft, and persistence mechanisms.

🟢

If Mitigated

Limited impact with proper network segmentation, least privilege principles, and endpoint protection that detects privilege escalation attempts.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring initial access to the system.

🏢 Internal Only: HIGH - Once an attacker gains initial access to a Windows machine (through phishing, malware, etc.), they can exploit this to gain full system control and move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access to the system. Proof-of-concept code has been published, making weaponization likely by threat actors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: June 2021 security updates (KB5003637 for Windows 10 2004/20H2/21H1, KB5003635 for Server 2019, KB5003690 for Server 2022)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31958

Restart Required: Yes

Instructions:

1. Apply June 2021 Windows security updates via Windows Update. 2. For enterprise environments, deploy updates through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Disable NTLM authentication

windows

Disables NTLM authentication to prevent exploitation, but may break legacy applications that rely on NTLM.

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LmCompatibilityLevel" -Value 5
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "NTLMMinClientSec" -Value 0x20080000
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictSendingNTLMTraffic" -Value 2

🧯 If You Can't Patch

Implement strict network segmentation to limit lateral movement
Enforce least privilege principles and monitor for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if June 2021 security updates are installed via 'systeminfo' command or Windows Update history.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5003637, KB5003635, or KB5003690 is installed in Windows Update history or via 'wmic qfe list' command.

📡 Detection & Monitoring

Log Indicators:

Event ID 4624 with elevated privileges from unexpected processes
Security log entries showing NTLM authentication anomalies
Unexpected SYSTEM-level process creation

Network Indicators:

Unusual NTLM authentication patterns
Lateral movement attempts using NTLM

SIEM Query:

source="WinEventLog:Security" EventID=4624 AND (NewElevatedToken="%%1842" OR TokenElevationType="%%1938")

📊 Metadata

CVE ID: CVE-2021-31958

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-294

Published: June 8, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31958 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31958 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable NTLM authentication

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities