CVE-2021-41370

Q: What is the severity of CVE-2021-41370?

CVE-2021-41370 has a CVSS score of 7.8 (HIGH). This vulnerability allows an authenticated attacker to gain SYSTEM-level privileges on Windows systems by exploiting a flaw in NTFS file system handling. It affects Windows servers and workstations where an attacker has local access. Successful exploitation requires the attacker to already have some level of access to the system.

7.8 HIGH

📋 TL;DR

This vulnerability allows an authenticated attacker to gain SYSTEM-level privileges on Windows systems by exploiting a flaw in NTFS file system handling. It affects Windows servers and workstations where an attacker has local access. Successful exploitation requires the attacker to already have some level of access to the system.

💻 Affected Systems

Products:

Windows 10
Windows 11
Windows Server 2016
Windows Server 2019
Windows Server 2022

Versions: Various versions prior to October 2021 updates

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default installations of Windows. Requires authenticated user access to exploit.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence establishment, and lateral movement across the network.

🟠

Likely Case

Privilege escalation from standard user or service account to SYSTEM, allowing installation of malware, credential harvesting, and bypassing security controls.

🟢

If Mitigated

Limited impact due to proper access controls, least privilege principles, and network segmentation preventing lateral movement.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring authenticated access to the system.

🏢 Internal Only: HIGH - Significant risk for internal systems where attackers could gain initial access through phishing or other means and then escalate privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access but is relatively straightforward to execute once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2021 security updates (KB5006670, KB5006672, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41370

Restart Required: Yes

Instructions:

1. Apply October 2021 Windows security updates from Windows Update. 2. For enterprise environments, deploy through WSUS or SCCM. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Restrict user permissions

windows

Implement least privilege principles to limit what authenticated users can do on systems

Network segmentation

all

Segment critical systems to limit lateral movement if privilege escalation occurs

🧯 If You Can't Patch

Implement strict access controls and monitor for privilege escalation attempts
Deploy application whitelisting to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check Windows Update history for October 2021 security updates or run 'systeminfo' command and verify build number is after the patched versions

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify October 2021 security updates are installed via Windows Update history or check build number matches patched versions

📡 Detection & Monitoring

Log Indicators:

Windows Security Event ID 4688 (process creation) showing unexpected SYSTEM privilege processes
Event ID 4672 (special privileges assigned) for unusual accounts

Network Indicators:

Unusual outbound connections from previously low-privilege accounts
Lateral movement attempts from compromised systems

SIEM Query:

EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1938"

📊 Metadata

CVE ID: CVE-2021-41370

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: November 10, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41370 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41370 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 11 by Microsoft

Windows 11 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict user permissions

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities