CVE-2021-31962

Q: What is the severity of CVE-2021-31962?

CVE-2021-31962 has a CVSS score of 9.4 (CRITICAL). This vulnerability allows attackers to bypass Kerberos AppContainer security features in Windows, potentially enabling unauthorized access to enterprise authentication capabilities. It affects Windows systems using Kerberos authentication, particularly those with AppContainer sandboxing. Attackers could exploit this to elevate privileges or bypass security boundaries.

9.4 CRITICAL

Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to bypass Kerberos AppContainer security features in Windows, potentially enabling unauthorized access to enterprise authentication capabilities. It affects Windows systems using Kerberos authentication, particularly those with AppContainer sandboxing. Attackers could exploit this to elevate privileges or bypass security boundaries.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10 versions 2004, 20H2, 21H1; Windows Server 2022, 2019, 2016; Windows Server, version 2004

Operating Systems: Windows 10, Windows Server 2022, Windows Server 2019, Windows Server 2016

Default Config Vulnerable: ⚠️ Yes

Notes: Systems using Kerberos authentication with AppContainer features are vulnerable. The vulnerability requires the attacker to have some initial access to the system.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of enterprise authentication systems, allowing attackers to impersonate legitimate users, access sensitive resources, and move laterally across the network.

🟠

Likely Case

Privilege escalation within Windows environments, allowing attackers to bypass AppContainer security boundaries and gain unauthorized access to protected resources.

🟢

If Mitigated

Limited impact with proper network segmentation, least privilege principles, and updated systems, though some authentication bypass risk remains.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access to the target system. The vulnerability has been publicly documented with proof-of-concept details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: June 2021 security updates (KB5003637 for Windows 10 2004/20H2/21H1, KB5003635 for Windows Server 2022, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31962

Restart Required: Yes

Instructions:

1. Apply the June 2021 security updates from Microsoft. 2. Restart affected systems. 3. Verify the patch is installed using Windows Update or system version checks.

🔧 Temporary Workarounds

Disable vulnerable Kerberos features

windows

Temporarily disable or restrict Kerberos AppContainer features if patching is not immediately possible

🧯 If You Can't Patch

Implement strict network segmentation to limit lateral movement
Apply principle of least privilege and monitor for unusual authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and installed updates. Systems without June 2021 security updates are vulnerable.

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5003637 (or equivalent for your Windows version) is installed via Windows Update history or systeminfo command.

📡 Detection & Monitoring

Log Indicators:

Unusual Kerberos authentication events
Failed AppContainer security boundary attempts
Unexpected privilege escalation attempts

Network Indicators:

Anomalous Kerberos ticket requests
Unusual authentication patterns from AppContainer processes

SIEM Query:

EventID:4769 AND (TargetUserName contains "AppContainer" OR ServiceName contains "krbtgt")

📊 Metadata

CVE ID: CVE-2021-31962

CVSS v3 Score: 9.4 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Published: June 8, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/163206/Windows-Kerberos-AppContainer-Enterprise-Authentication-Capability-Bypass.html Third Party Advisory,VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31962 Patch,Vendor Advisory
http://packetstormsecurity.com/files/163206/Windows-Kerberos-AppContainer-Enterprise-Authentication-Capability-Bypass.html Third Party Advisory,VDB Entry
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-31962 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable vulnerable Kerberos features

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export