Login Sign Up

CVE-2021-43637

8.8 HIGH
Denial of Service Buffer Overflow

📋 TL;DR

This vulnerability is a buffer overflow in the Amazon WorkSpaces agent's IOCTL handler that allows local attackers to execute arbitrary code with kernel privileges or cause denial of service through memory corruption. It affects users of Amazon WorkSpaces with vulnerable agent versions. Attackers need local access to exploit this vulnerability.

💻 Affected Systems

Products:
  • Amazon WorkSpaces agent
Versions: All versions below v1.0.1.1537
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires local access to the WorkSpaces instance. The vulnerability is in the USB-over-Ethernet component used for device redirection.

📦 What is this software?

Workspaces by Amazon

View all CVEs affecting Workspaces →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via kernel-mode arbitrary code execution leading to full administrative control, data theft, and persistent backdoor installation.

🟠

Likely Case

Privilege escalation from a standard user to SYSTEM/root level, enabling lateral movement and further exploitation within the environment.

🟢

If Mitigated

Limited impact if proper patch management and least privilege principles are followed, potentially only causing service disruption.

🌐 Internet-Facing: LOW
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires local access and crafting of specific IOCTL requests. The vulnerability was disclosed by security researchers with technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.0.1.1537 and later

Vendor Advisory: https://aws.amazon.com/security/security-bulletins/

Restart Required: Yes

Instructions:

1. Update Amazon WorkSpaces agent to version 1.0.1.1537 or later. 2. Restart the WorkSpaces instance. 3. Verify the update through the agent's version check.

🔧 Temporary Workarounds

Restrict local user access

all

Limit local user accounts on WorkSpaces instances to reduce attack surface.

Disable USB redirection

all

Disable USB-over-Ethernet functionality if not required.

🧯 If You Can't Patch

  • Implement strict access controls to limit who has local access to WorkSpaces instances.
  • Monitor for unusual process behavior or privilege escalation attempts using endpoint detection tools.

🔍 How to Verify

Check if Vulnerable:

Check the Amazon WorkSpaces agent version. If below 1.0.1.1537, the system is vulnerable.

Check Version:

On Windows: Check 'Programs and Features' for Amazon WorkSpaces agent version. On Linux: Check package manager or agent logs.

Verify Fix Applied:

Confirm the agent version is 1.0.1.1537 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual IOCTL requests to the WorkSpaces driver
  • Process crashes in WorkSpaces agent
  • Privilege escalation events

Network Indicators:

  • Local system calls to vulnerable driver interfaces

SIEM Query:

Process creation events where parent process is WorkSpaces agent with unusual command line arguments

📊 Metadata

CVE ID: CVE-2021-43637
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-120
Published: December 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-43637, you might also want to check these:

CVE-2023-24482 10.0

This CVE describes a critical buffer overflow vulnerability in COMOS software's cache validation ser...

Same vulnerability type (CWE-120)
CVE-2024-22039 10.0

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with root privi...

Same vulnerability type (CWE-120)
CVE-2022-22570 10.0

A buffer overflow vulnerability in UniFi Door Access Reader Lite firmware allows attackers with netw...

Same vulnerability type (CWE-120)