CVE-2021-41367

Q: What is the severity of CVE-2021-41367?

CVE-2021-41367 has a CVSS score of 7.8 (HIGH). CVE-2021-41367 is an NTFS elevation of privilege vulnerability in Windows that allows authenticated attackers to gain SYSTEM-level privileges on affected systems. This affects Windows 10, Windows 11, and Windows Server systems with specific versions. Attackers need local access to exploit this vulnerability.

7.8 HIGH

📋 TL;DR

CVE-2021-41367 is an NTFS elevation of privilege vulnerability in Windows that allows authenticated attackers to gain SYSTEM-level privileges on affected systems. This affects Windows 10, Windows 11, and Windows Server systems with specific versions. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:

Windows 10
Windows 11
Windows Server 2019
Windows Server 2022

Versions: Windows 10 versions 1809, 1909, 2004, 20H2, 21H1; Windows 11; Windows Server 2019; Windows Server 2022

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have valid credentials and local access to the system. Not exploitable remotely without initial access.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement across the network.

🟠

Likely Case

Privilege escalation from standard user to SYSTEM, allowing installation of malware, credential harvesting, and bypassing security controls.

🟢

If Mitigated

Limited impact with proper patch management, least privilege principles, and endpoint protection that can detect privilege escalation attempts.

🌐 Internet-Facing: LOW - Requires local authenticated access, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Significant risk in internal environments where attackers can gain initial access through phishing or other means, then escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access but is relatively straightforward to execute once initial access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2021 security updates (KB5006670, KB5006674, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41367

Restart Required: Yes

Instructions:

1. Apply October 2021 Windows security updates through Windows Update. 2. For enterprise environments, deploy updates via WSUS, SCCM, or Intune. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Restrict local access

windows

Limit who has local login access to critical systems

Implement least privilege

windows

Ensure users operate with minimal necessary privileges

🧯 If You Can't Patch

Implement application control policies to prevent unauthorized executables
Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Windows version and compare with affected versions list. Vulnerable if running affected versions without October 2021 patches.

Check Version:

winver or systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify October 2021 security updates are installed via 'wmic qfe list' or 'Get-Hotfix -Id KB5006670' (or relevant KB for your version).

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with parent process anomalies
Unexpected SYSTEM privilege acquisition
NTFS-related process creation with elevated privileges

Network Indicators:

Lateral movement attempts following local privilege escalation

SIEM Query:

EventID=4688 AND (NewProcessName="*\system32\*" OR ParentProcessName="*\system32\*") AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1938"

📊 Metadata

CVE ID: CVE-2021-41367

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: November 10, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41367 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41367 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 11 by Microsoft

Windows 11 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict local access

Implement least privilege

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities