CVE-2021-36955
📋 TL;DR
This vulnerability in the Windows Common Log File System Driver allows attackers to gain SYSTEM-level privileges on affected systems. It affects Windows 10 and Windows Server systems where an attacker already has local access. Successful exploitation enables complete system compromise.
💻 Affected Systems
- Windows 10
- Windows Server 2019
- Windows Server 2022
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 1909 by Microsoft
Windows 10 2004 by Microsoft
Windows 10 20h2 by Microsoft
Windows 10 21h1 by Microsoft
Windows 7 by Microsoft
Windows 8.1 by Microsoft
Windows Rt 8.1 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with SYSTEM privileges, enabling installation of persistent malware, credential theft, lateral movement, and data destruction.
Likely Case
Privilege escalation from a standard user account to SYSTEM, allowing attackers to bypass security controls, install backdoors, and access sensitive system resources.
If Mitigated
Limited impact if proper endpoint protection, least privilege principles, and network segmentation are implemented, though local privilege escalation remains possible.
🎯 Exploit Status
Exploit requires local access to the system. Public exploit code exists and has been used in real attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: August 2021 security updates (KB5005033 for Windows 10 21H1, KB5005031 for Windows 10 20H2, etc.)
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36955
Restart Required: Yes
Instructions:
1. Apply August 2021 Windows security updates via Windows Update. 2. For enterprise environments, deploy patches through WSUS or SCCM. 3. Verify installation via 'winver' command showing updated build numbers.
🔧 Temporary Workarounds
Disable CLFS driver
windowsDisable the Common Log File System Driver to prevent exploitation (may break logging functionality)
sc config clfs start= disabled
sc stop clfs
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit initial compromise opportunities
- Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check Windows build number via 'winver' - if below August 2021 patch levels, system is vulnerableCheck Version:
winverVerify Fix Applied:
Verify Windows Update history shows August 2021 security updates installed, or check build number matches patched versions📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with process creation from suspicious parent processes
- Unexpected SYSTEM privilege acquisition by non-admin users
Network Indicators:
- Unusual outbound connections following local privilege escalation
SIEM Query:
EventID=4688 AND (NewProcessName="*\cmd.exe" OR NewProcessName="*\powershell.exe") AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1938"