CVE-2021-34455 – This vulnerability allows an authenticated atta... (How to Fix)

Q: What is the severity of CVE-2021-34455?

CVE-2021-34455 has a CVSS score of 7.8 (HIGH). This vulnerability allows an authenticated attacker to execute arbitrary code with SYSTEM privileges by exploiting a flaw in the Windows File History Service. It affects Windows 10, Windows Server 2016, and later versions where File History is enabled. Attackers need local access to exploit this privilege escalation vulnerability.

📋 TL;DR

This vulnerability allows an authenticated attacker to execute arbitrary code with SYSTEM privileges by exploiting a flaw in the Windows File History Service. It affects Windows 10, Windows Server 2016, and later versions where File History is enabled. Attackers need local access to exploit this privilege escalation vulnerability.

💻 Affected Systems

Products:

Windows 10
Windows Server 2016
Windows Server 2019
Windows Server 2022

Versions: Windows 10 versions 1607 through 21H1; Windows Server 2016 through 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires File History service to be enabled. File History is typically enabled by default on Windows 10 client systems but may be disabled on servers.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full SYSTEM-level control over the affected system, enabling installation of malware, data theft, credential harvesting, and lateral movement across the network.

🟠

Likely Case

Local authenticated attackers escalate privileges from standard user to SYSTEM, allowing them to bypass security controls, install persistent backdoors, or access protected system resources.

🟢

If Mitigated

With proper patching and least privilege principles, impact is limited to isolated systems with no lateral movement capability.

🌐 Internet-Facing: LOW - This requires local authenticated access, making direct internet exploitation unlikely without prior compromise.

🏢 Internal Only: HIGH - Once inside the network, attackers can exploit this to escalate privileges on vulnerable Windows systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access. Proof-of-concept code has been publicly released, making exploitation straightforward for attackers with local access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: July 2021 security updates (KB5004237 for Windows 10 21H1, KB5004238 for 20H2, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34455

Restart Required: Yes

Instructions:

1. Apply July 2021 Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or SCCM. 3. Verify installation via 'winver' command showing appropriate build numbers.

🔧 Temporary Workarounds

Disable File History Service

windows

Temporarily disable the vulnerable File History service to prevent exploitation

sc config fhsvc start= disabled
sc stop fhsvc

Restrict Service Permissions

windows

Modify File History service permissions to prevent unauthorized access

sc sdset fhsvc D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)

🧯 If You Can't Patch

Implement strict least privilege access controls to limit who can authenticate to vulnerable systems
Enable Windows Defender Exploit Guard and configure Attack Surface Reduction rules to block suspicious behavior

🔍 How to Verify

Check if Vulnerable:

Check if File History service is running: 'sc query fhsvc' and verify Windows version is before July 2021 patches

Check Version:

winver

Verify Fix Applied:

Verify Windows build number is at least: Windows 10 21H1 - 19043.1110, Windows 10 20H2 - 19042.1110, Windows Server 2019 - 17763.2061

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with process creation from fhsvc.exe with unusual parent processes
Unexpected File History service restarts or failures

Network Indicators:

Unusual outbound connections from systems with File History enabled

SIEM Query:

EventID=4688 AND (NewProcessName LIKE '%fhsvc.exe%' OR ParentProcessName LIKE '%fhsvc.exe%')

📊 Metadata

CVE ID: CVE-2021-34455

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: July 16, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34455 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34455 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34455, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable File History Service

Restrict Service Permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities