CVE-2021-41377

Q: What is the severity of CVE-2021-41377?

CVE-2021-41377 has a CVSS score of 7.8 (HIGH). This vulnerability in the Windows Fast FAT File System Driver allows attackers to escalate privileges from a low-privileged user account to SYSTEM level. It affects Windows systems with the vulnerable driver loaded. Attackers must have local access to exploit this flaw.

7.8 HIGH

📋 TL;DR

This vulnerability in the Windows Fast FAT File System Driver allows attackers to escalate privileges from a low-privileged user account to SYSTEM level. It affects Windows systems with the vulnerable driver loaded. Attackers must have local access to exploit this flaw.

💻 Affected Systems

Products:

Microsoft Windows

Versions: Windows 10 versions 1809, 1909, 2004, 20H2, 21H1; Windows Server 2019, 2022

Operating Systems: Windows 10, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the Fast FAT file system driver (fastfat.sys) to be loaded, which typically occurs when FAT-formatted drives are accessed.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full SYSTEM privilege escalation leading to complete system compromise, data theft, persistence establishment, and lateral movement across the network.

🟠

Likely Case

Local privilege escalation allowing attackers to bypass security controls, install malware, or access sensitive data on the compromised system.

🟢

If Mitigated

Limited impact if proper access controls, least privilege principles, and network segmentation are implemented to restrict local user access.

🌐 Internet-Facing: LOW - Requires local access to exploit, cannot be triggered remotely over the internet.

🏢 Internal Only: HIGH - Significant risk from insider threats, compromised user accounts, or malware that gains initial foothold with user privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and user-level privileges. Proof-of-concept code has been published, making exploitation more accessible to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2021 security updates (KB5006670 for Windows 10 21H1, KB5006674 for 20H2, etc.)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41377

Restart Required: Yes

Instructions:

1. Apply October 2021 Windows security updates via Windows Update. 2. For enterprise environments, deploy patches through WSUS, SCCM, or Intune. 3. Restart systems after patch installation.

🔧 Temporary Workarounds

Restrict FAT drive access

windows

Prevent mounting of FAT-formatted drives to avoid loading the vulnerable driver

Use Group Policy to restrict removable drive access
Configure Device Control policies

Implement least privilege

windows

Restrict user privileges to minimize impact if exploited

Use Local Security Policy to configure user rights assignments
Implement Privileged Access Management

🧯 If You Can't Patch

Implement strict access controls and network segmentation to limit lateral movement
Deploy endpoint detection and response (EDR) solutions to detect privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if October 2021 security updates are installed via 'winver' or 'systeminfo' command

Check Version:

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Verify Fix Applied:

Verify KB5006670 (or relevant October 2021 update) is installed in Windows Update history

📡 Detection & Monitoring

Log Indicators:

Event ID 4688 with process creation from low-privilege to SYSTEM
Unexpected fastfat.sys driver activity
Privilege escalation attempts in security logs

Network Indicators:

Unusual outbound connections from previously low-privilege accounts
Lateral movement attempts following local compromise

SIEM Query:

EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1936"

📊 Metadata

CVE ID: CVE-2021-41377

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: November 10, 2021

Last Updated: November 21, 2024

🔗 References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41377 Patch,Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-41377 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 10 by Microsoft

Windows 11 by Microsoft

Windows 11 by Microsoft

Windows 7 by Microsoft

Windows 8.1 by Microsoft

Windows Rt 8.1 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2008 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2012 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2016 by Microsoft

Windows Server 2019 by Microsoft

Windows Server 2022 by Microsoft

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict FAT drive access

Implement least privilege

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities