CVE-2021-36942
📋 TL;DR
CVE-2021-36942 is a Local Security Authority (LSA) spoofing vulnerability in Windows that allows an authenticated attacker to impersonate any user on a system, including administrators. This affects Windows 10, Windows 11, and Windows Server systems. Attackers can exploit this to elevate privileges and potentially gain full system control.
💻 Affected Systems
- Windows 10
- Windows 11
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with administrative privileges, enabling lateral movement, data theft, ransomware deployment, and persistent backdoor installation.
Likely Case
Privilege escalation from standard user to SYSTEM/administrator level, allowing installation of malware, credential harvesting, and bypassing security controls.
If Mitigated
Limited impact with proper network segmentation, least privilege enforcement, and endpoint detection/prevention systems blocking suspicious LSA calls.
🎯 Exploit Status
Exploit code is publicly available and has been observed in real-world attacks. Requires authenticated access to the target system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: August 2021 security updates (KB5005033 for Windows 10 21H1, KB5005031 for Windows 10 20H2, etc.)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36942
Restart Required: Yes
Instructions:
1. Apply August 2021 Windows security updates via Windows Update. 2. For enterprise environments, deploy through WSUS or Microsoft Endpoint Configuration Manager. 3. Restart systems after patch installation.
🔧 Temporary Workarounds
Restrict NTLM authentication
windowsConfigure Group Policy to restrict NTLM authentication which may reduce attack surface
gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Restrict NTLM: Incoming NTLM traffic
Enable Windows Defender Credential Guard
windowsProtects against credential theft attacks that could be combined with this vulnerability
Enable via Group Policy: Computer Configuration -> Administrative Templates -> System -> Device Guard -> Turn On Virtualization Based Security
🧯 If You Can't Patch
- Implement strict network segmentation to limit lateral movement from compromised systems
- Enforce least privilege access controls and monitor for unusual LSA process activity
🔍 How to Verify
Check if Vulnerable:
Check Windows version and compare with patched versions. Systems running Windows 10 1809+ or Windows 11 without August 2021 updates are vulnerable.Check Version:
winver or systeminfo | findstr /B /C:"OS Name" /C:"OS Version"Verify Fix Applied:
Verify Windows Update history contains August 2021 security updates (KB5005033 or similar) or check system version is post-patch.📡 Detection & Monitoring
Log Indicators:
- Unusual LSA process creation events (Event ID 4688)
- Suspicious authentication attempts in Security logs
- Unexpected privilege escalation events
Network Indicators:
- Unusual NTLM authentication patterns
- Lateral movement attempts from previously compromised systems
SIEM Query:
EventID=4688 AND (ProcessName="lsass.exe" OR CommandLine CONTAINS "lsass") AND NewProcessName NOT IN (expected_processes)🔗 References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36942
- https://www.kb.cert.org/vuls/id/405600
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36942
- https://www.kb.cert.org/vuls/id/405600
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-36942
