Login Sign Up

CVE-2021-33436

7.3 HIGH

📋 TL;DR

This vulnerability allows local non-privileged users on Windows systems to escalate privileges to SYSTEM level via DLL hijacking. Attackers can place malicious DLLs in writable directories within the system path, which NoMachine then loads with elevated privileges. Only NoMachine for Windows installations prior to versions 6.15.1 and 7.5.2 are affected.

💻 Affected Systems

Products:
  • NoMachine for Windows
Versions: All versions prior to 6.15.1 and 7.5.2
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Windows installations. Requires local access to the system with ability to write to directories in the system PATH.

📦 What is this software?

Nomachine by Nomachine

View all CVEs affecting Nomachine →

Nomachine by Nomachine

View all CVEs affecting Nomachine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement capabilities.

🟠

Likely Case

Local user with limited privileges escalates to SYSTEM to install malware, steal credentials, or bypass security controls on the compromised machine.

🟢

If Mitigated

With proper patching and least privilege principles, impact is limited to failed privilege escalation attempts that generate security alerts.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access; not directly exploitable over the network.
🏢 Internal Only: HIGH - Any compromised user account or insider threat can exploit this to gain SYSTEM privileges on affected Windows workstations/servers.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local user access but is straightforward once access is obtained. Public advisory includes technical details sufficient for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.15.1 and 7.5.2

Vendor Advisory: https://knowledgebase.nomachine.com/SU05S00223

Restart Required: Yes

Instructions:

1. Download NoMachine version 6.15.1 or 7.5.2 from official website. 2. Run installer with administrative privileges. 3. Restart the system after installation completes.

🔧 Temporary Workarounds

Restrict write permissions on system PATH directories

windows

Remove write permissions for non-administrative users on directories in the system PATH environment variable

icacls "C:\Windows\System32" /deny Users:(WD)

Remove NoMachine from startup

windows

Prevent NoMachine from running automatically to reduce attack surface

Remove NoMachine from startup via Task Manager or msconfig

🧯 If You Can't Patch

  • Implement strict least privilege principles - ensure users only have necessary permissions
  • Monitor for DLL loading from unusual locations using Windows Event Logs or EDR solutions

🔍 How to Verify

Check if Vulnerable:

Check NoMachine version via Help > About in NoMachine interface or check installed programs in Control Panel

Check Version:

wmic product where name="NoMachine" get version

Verify Fix Applied:

Verify installed version is 6.15.1 or higher for version 6.x, or 7.5.2 or higher for version 7.x

📡 Detection & Monitoring

Log Indicators:

  • Windows Event ID 4688 showing NoMachine process spawning with SYSTEM privileges
  • DLL loading from non-standard locations by NoMachine processes

Network Indicators:

  • No direct network indicators - this is local exploitation

SIEM Query:

EventID=4688 AND NewProcessName="*NoMachine*" AND SubjectUserName="SYSTEM"

📊 Metadata

CVE ID: CVE-2021-33436
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Published: April 28, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON