CVE-2021-47829
📋 TL;DR
This vulnerability allows local attackers to execute arbitrary code with SYSTEM privileges by exploiting an unquoted service path in DHCP Broadband. Attackers can place malicious executables in locations that get executed when the service starts. Only systems running DHCP Broadband 4.1.0.1503 on Windows are affected.
💻 Affected Systems
- DHCP Broadband
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, allowing attackers to install persistent malware, steal credentials, or pivot to other systems.
Likely Case
Local privilege escalation leading to persistence, credential theft, and lateral movement within the network.
If Mitigated
Limited impact if proper endpoint protection and least privilege principles are enforced.
🎯 Exploit Status
Exploitation requires local access and ability to write to directories in the service path. Public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: Not available
Restart Required: Yes
Instructions:
1. Check vendor website for updated version. 2. If available, download and install updated version. 3. Restart the service. 4. Verify the service path is properly quoted in registry.
🔧 Temporary Workarounds
Quote Service Path
windowsManually quote the service path in Windows registry to prevent path interpretation issues.
sc config "DHCP Broadband" binPath= "\"C:\Program Files\DHCP Broadband 4\dhcpt.exe\""
Restrict Directory Permissions
windowsRemove write permissions for non-administrative users on directories in the service path.
icacls "C:\Program Files\DHCP Broadband 4" /deny Users:(OI)(CI)W
🧯 If You Can't Patch
- Remove DHCP Broadband service if not required.
- Implement strict endpoint detection and response (EDR) to monitor for privilege escalation attempts.
🔍 How to Verify
Check if Vulnerable:
Check if service path is unquoted: sc qc "DHCP Broadband" | findstr /i "BINARY_PATH_NAME"Check Version:
Check program version in Control Panel > Programs and Features or run: wmic product where name="DHCP Broadband" get versionVerify Fix Applied:
Verify service path is quoted: sc qc "DHCP Broadband" | findstr /i "BINARY_PATH_NAME" and check for quotes around the path.📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 4688 (process creation) showing unexpected executables running from DHCP Broadband directories
- Windows Event ID 7045 (service installation) for new services
Network Indicators:
- Unusual outbound connections from systems running DHCP Broadband service
SIEM Query:
source="windows" AND (event_id=4688 OR event_id=7045) AND (process_path="*DHCP Broadband*" OR service_name="DHCP Broadband")