CVE-2021-41352
📋 TL;DR
CVE-2021-41352 is an information disclosure vulnerability in Microsoft System Center Operations Manager (SCOM) that allows authenticated attackers to read sensitive information they shouldn't have access to. This affects organizations running vulnerable versions of SCOM where attackers have some level of authenticated access to the system.
💻 Affected Systems
- Microsoft System Center Operations Manager (SCOM)
📦 What is this software?
System Center Operations Manager by Microsoft
System Center Operations Manager by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Attackers with authenticated access could exfiltrate sensitive configuration data, credentials, or operational information that could facilitate further attacks against the SCOM environment or connected systems.
Likely Case
Privilege escalation or lateral movement within the SCOM environment by accessing sensitive configuration information that reveals system architecture, credentials, or operational details.
If Mitigated
Limited impact with proper network segmentation, minimal user privileges, and monitoring of SCOM access patterns.
🎯 Exploit Status
Requires authenticated access to the SCOM system. No public exploit code has been released as of knowledge cutoff.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply the October 2021 security updates for System Center Operations Manager
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41352
Restart Required: Yes
Instructions:
1. Download the October 2021 security update for SCOM from Microsoft Update Catalog. 2. Apply the update to all SCOM management servers. 3. Restart the SCOM services or servers as required. 4. Verify the update was successfully applied.
🔧 Temporary Workarounds
Restrict SCOM Access
windowsLimit access to SCOM management servers to only authorized administrators and monitoring accounts
Use Windows Firewall or network ACLs to restrict access to SCOM ports (typically 5723, 5724)
Implement Least Privilege
windowsEnsure users and service accounts have only the minimum necessary permissions in SCOM
Review and adjust SCOM user roles and permissions through SCOM console
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SCOM management servers from general user networks
- Enable detailed auditing of all SCOM access and regularly review logs for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if SCOM is running without the October 2021 security updates. Review SCOM version and update status in Programs and Features or via PowerShell: Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Operations Manager*'}Check Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like '*Operations Manager*'} | Select-Object Name, VersionVerify Fix Applied:
Verify the October 2021 security update is installed. Check Windows Update history or use: wmic qfe list | findstr /i "KB" to look for relevant KB numbers📡 Detection & Monitoring
Log Indicators:
- Unusual authentication patterns to SCOM servers
- Multiple failed authentication attempts followed by successful access
- Access to SCOM from unexpected user accounts or IP addresses
Network Indicators:
- Unusual traffic patterns to SCOM management server ports (5723, 5724)
- Data exfiltration from SCOM servers
SIEM Query:
source="SCOM_Logs" AND (event_id=4624 OR event_id=4625) AND target_user_name LIKE "%SCOM%" | stats count by src_ip, target_user_name