CVE-2021-42138
📋 TL;DR
CVE-2021-42138 is an entropy weakness vulnerability in SafeNet Agent for Windows Logon that allows a local user to decrypt and access encrypted credentials of other users on the same machine. This affects organizations using Thales SafeNet authentication software for Windows logon. The vulnerability stems from insufficient randomness in cryptographic operations (CWE-331).
💻 Affected Systems
- SafeNet Agent for Windows Logon
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated local attacker could decrypt and steal credentials for all users on the machine, potentially gaining unauthorized access to sensitive systems and data.
Likely Case
A malicious insider or compromised account could harvest credentials from other users on the same system, leading to lateral movement and privilege escalation.
If Mitigated
With proper access controls and monitoring, impact is limited to credential exposure on individual systems rather than network-wide compromise.
🎯 Exploit Status
Exploitation requires local access to the machine and understanding of the weak entropy implementation. No public exploit code has been identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.1 and later
Vendor Advisory: https://cpl.thalesgroup.com/support/security-updates
Restart Required: Yes
Instructions:
1. Download SafeNet Agent for Windows Logon version 4.3.1 or later from Thales support portal. 2. Run the installer with administrative privileges. 3. Follow the installation wizard. 4. Restart the system when prompted.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit local login access to trusted administrators only to reduce attack surface.
Enable Credential Guard
windowsUse Windows Credential Guard to protect credentials in virtualization-based security.
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
Enable-WindowsOptionalFeature -Online -FeatureName CredentialGuard
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit who can log in locally to affected systems.
- Enable detailed auditing and monitoring of credential access events and suspicious local activity.
🔍 How to Verify
Check if Vulnerable:
Check SafeNet Agent version via Control Panel > Programs and Features or run: wmic product where "name like 'SafeNet Agent%'" get versionCheck Version:
wmic product where "name like 'SafeNet Agent%'" get versionVerify Fix Applied:
Verify installed version is 4.3.1 or higher using the same version check command.📡 Detection & Monitoring
Log Indicators:
- Unusual credential access patterns in Windows Security logs (Event ID 4624, 4625, 4672)
- Multiple failed authentication attempts followed by successful logins from same source
Network Indicators:
- Unusual authentication traffic patterns to systems using SafeNet Agent
SIEM Query:
source="windows_security" (event_id=4624 OR event_id=4625) AND user="*" AND process_name="*safenet*" | stats count by src_ip, user, process_name🔗 References
- https://cpl.thalesgroup.com/support/security-updates
- https://supportportal.gemalto.com/csm?sys_kb_id=a52bd13adbff7010f0e322080596194a&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=b3bdd932db33b010f0e3220805961955
- https://supportportal.gemalto.com/csm?sys_kb_id=e8397662dbb7fc10520c4705059619eb&id=kb_article_view&sysparm_rank=2&sysparm_tsqueryId=b3bdd932db33b010f0e3220805961955
- https://cpl.thalesgroup.com/support/security-updates
- https://supportportal.gemalto.com/csm?sys_kb_id=a52bd13adbff7010f0e322080596194a&id=kb_article_view&sysparm_rank=1&sysparm_tsqueryId=b3bdd932db33b010f0e3220805961955
- https://supportportal.gemalto.com/csm?sys_kb_id=e8397662dbb7fc10520c4705059619eb&id=kb_article_view&sysparm_rank=2&sysparm_tsqueryId=b3bdd932db33b010f0e3220805961955
