CVE-2021-43247
📋 TL;DR
This vulnerability in the Windows TCP/IP driver allows an attacker to execute arbitrary code with elevated SYSTEM privileges. It affects Windows systems with the vulnerable driver component. Attackers can exploit this locally to gain complete control over affected systems.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 10 by Microsoft
Windows 11 by Microsoft
Windows 11 by Microsoft
Windows Server by Microsoft
Windows Server by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of malware, data theft, and persistence mechanisms.
Likely Case
Local privilege escalation from a lower-privileged user account to SYSTEM, allowing attackers to bypass security controls.
If Mitigated
Limited impact if proper patch management and least privilege principles are enforced, though exploitation could still occur.
🎯 Exploit Status
Exploitation requires local access and some technical knowledge. Proof-of-concept code has been published, increasing the likelihood of weaponization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Security updates from December 2021 or later
Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43247
Restart Required: Yes
Instructions:
1. Apply the December 2021 Windows security updates. 2. For Windows 10, install KB5008212 or later. 3. For Windows 11, install KB5008215 or later. 4. Restart the system after installation.
🔧 Temporary Workarounds
Restrict local access
windowsLimit local user access to systems to reduce attack surface
Enable Windows Defender Exploit Guard
windowsUse exploit protection to mitigate privilege escalation attempts
Set-ProcessMitigation -System -Enable DEP,ASLR,CFG
🧯 If You Can't Patch
- Implement strict least privilege principles to limit local user privileges
- Monitor for suspicious local privilege escalation attempts using security tools
🔍 How to Verify
Check if Vulnerable:
Check if the December 2021 security updates are installed via Windows Update or by checking system versionCheck Version:
wmic qfe list | findstr KB5008212 (for Windows 10) or systeminfo | findstr KB5008215 (for Windows 11)Verify Fix Applied:
Verify that KB5008212 (Windows 10) or KB5008215 (Windows 11) or later is installed📡 Detection & Monitoring
Log Indicators:
- Event ID 4688 with privileged process creation from non-privileged users
- Unexpected SYSTEM privilege processes
Network Indicators:
- Local network connections from newly elevated processes
SIEM Query:
EventID=4688 AND NewProcessName="*" AND SubjectUserName!="SYSTEM" AND TokenElevationType="%%1938"