CVE-2021-36973 – This vulnerability allows an authenticated atta... (How to Fix)

Q: What is the severity of CVE-2021-36973?

CVE-2021-36973 has a CVSS score of 7.8 (HIGH). This vulnerability allows an authenticated attacker to execute arbitrary code with SYSTEM privileges on affected Windows systems. It affects Windows clients and servers where the Redirected Drive Buffering System (RDBS) is enabled, typically in enterprise environments using folder redirection.

📋 TL;DR

This vulnerability allows an authenticated attacker to execute arbitrary code with SYSTEM privileges on affected Windows systems. It affects Windows clients and servers where the Redirected Drive Buffering System (RDBS) is enabled, typically in enterprise environments using folder redirection.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10 versions 2004, 20H2, 21H1; Windows Server 2022, 2019, 2016; Windows 11

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires RDBS feature enabled, which is common in enterprise setups using folder redirection via Group Policy.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with SYSTEM privileges, enabling complete control over the system, data theft, lateral movement, and persistence.

🟠

Likely Case

Privilege escalation from a standard user account to SYSTEM, allowing installation of malware, credential harvesting, and bypassing security controls.

🟢

If Mitigated

Limited impact if proper access controls, least privilege principles, and network segmentation are implemented, restricting attacker movement.

🌐 Internet-Facing: LOW - Exploitation requires local authenticated access; not directly exploitable over the internet.

🏢 Internal Only: HIGH - Exploitable by authenticated users on the local network, posing significant risk in enterprise environments with shared systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access; public proof-of-concept code exists, making it accessible to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: August 2021 security updates (e.g., KB5005033 for Windows 10 21H1)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36973

Restart Required: Yes

Instructions:

1. Apply the August 2021 Windows security update via Windows Update. 2. For enterprise environments, deploy through WSUS or SCCM. 3. Restart the system after installation.

🔧 Temporary Workarounds

Disable RDBS via Registry

windows

Disables the Redirected Drive Buffering System to mitigate the vulnerability.

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Rdbss" /v Start /t REG_DWORD /d 4 /f

Restrict Folder Redirection

windows

Limit use of folder redirection in Group Policy to reduce attack surface.

🧯 If You Can't Patch

Implement strict access controls and least privilege principles to limit authenticated user access.
Monitor for suspicious activity related to privilege escalation attempts and RDBS processes.

🔍 How to Verify

Check if Vulnerable:

Check if the August 2021 security update is installed via 'wmic qfe list' or 'systeminfo' command.

Check Version:

wmic os get caption, version, buildnumber

Verify Fix Applied:

Verify the security update KB number (e.g., KB5005033) is present in installed updates list.

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 for process creation with SYSTEM privileges from non-privileged users
Unusual RDBS-related process activity in Windows logs

Network Indicators:

Unusual SMB or network file sharing traffic from compromised systems

SIEM Query:

EventID=4688 AND NewProcessName="*rdbss*" AND SubjectUserName!="SYSTEM"

📊 Metadata

CVE ID: CVE-2021-36973

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: September 15, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36973 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36973 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36973, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable RDBS via Registry

Restrict Folder Redirection

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities