CVE-2021-36967 – This vulnerability allows an authenticated atta... (How to Fix)

Q: What is the severity of CVE-2021-36967?

CVE-2021-36967 has a CVSS score of 8.0 (HIGH). This vulnerability allows an authenticated attacker to execute arbitrary code with SYSTEM privileges by exploiting a flaw in the Windows WLAN AutoConfig Service. It affects Windows systems where an attacker has local access and can manipulate WLAN profiles. The vulnerability enables privilege escalation from a standard user account to full system control.

📋 TL;DR

This vulnerability allows an authenticated attacker to execute arbitrary code with SYSTEM privileges by exploiting a flaw in the Windows WLAN AutoConfig Service. It affects Windows systems where an attacker has local access and can manipulate WLAN profiles. The vulnerability enables privilege escalation from a standard user account to full system control.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10 versions 2004, 20H2, 21H1; Windows 11; Windows Server 2022; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with WLAN AutoConfig Service enabled (default on most Windows installations). Requires attacker to have local authenticated access.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains complete SYSTEM-level control over the Windows system, enabling installation of malware, data theft, credential harvesting, and lateral movement across the network.

🟠

Likely Case

Privilege escalation from a standard user account to SYSTEM privileges, allowing attackers to bypass security controls, install persistence mechanisms, and access sensitive system resources.

🟢

If Mitigated

Limited impact if proper patch management and least privilege principles are enforced, though local authenticated attackers could still attempt exploitation.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the system.

🏢 Internal Only: HIGH - Significant risk in enterprise environments where attackers could gain initial access through phishing or other means, then escalate privileges locally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is relatively straightforward once initial access is obtained. Multiple security researchers have published proof-of-concept code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: August 2021 security updates (KB5005033 for Windows 10 21H1, 20H2, 2004; KB5005031 for Windows 11; corresponding updates for other affected versions)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36967

Restart Required: Yes

Instructions:

1. Apply the August 2021 Windows security updates through Windows Update. 2. For enterprise environments, deploy through WSUS or SCCM. 3. Verify the patch is applied by checking system version. 4. Restart the system as required.

🔧 Temporary Workarounds

Disable WLAN AutoConfig Service

windows

Temporarily disable the vulnerable service to prevent exploitation while patching is being deployed

sc config WlanSvc start= disabled
sc stop WlanSvc

Restrict WLAN profile permissions

windows

Set stricter permissions on WLAN profiles to prevent unauthorized manipulation

icacls "%ProgramData%\Microsoft\Wlansvc\Profiles\Interfaces\*" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Administrators:(OI)(CI)F" /grant:r "NETWORK SERVICE:(OI)(CI)R"

🧯 If You Can't Patch

Implement strict least privilege access controls to limit who has local authenticated access
Enable Windows Defender Exploit Guard and configure Attack Surface Reduction rules

🔍 How to Verify

Check if Vulnerable:

Check if the August 2021 security updates are installed via 'systeminfo' command or Windows Update history

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5005033 (or corresponding update for your version) is installed and system has been restarted

📡 Detection & Monitoring

Log Indicators:

Event ID 4697: Service installed in the system
Unusual WLAN service activity
Process creation with SYSTEM privileges from non-admin accounts

Network Indicators:

Unusual network connections from SYSTEM processes
Lateral movement attempts following local privilege escalation

SIEM Query:

EventID=4697 AND ServiceName="WlanSvc" AND SubjectUserName NOT IN ("SYSTEM", "LOCAL SERVICE", "NETWORK SERVICE")

📊 Metadata

CVE ID: CVE-2021-36967

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: September 15, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36967 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36967 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36967, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable WLAN AutoConfig Service

Restrict WLAN profile permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities