Microsoft’s privilege escalation vulnerability that refuses to go away

THREAT LEVEL: Amber.

For a detailed advisory, download the pdf file here

After seven months, a vulnerability that was addressed in August 2021 patch Tuesday remained unpatched. This locally exploited vulnerability is tracked as CVE-2021-34484 and affects the Windows User Profile Service. While Proof-of-concept is been available for some time now, it is not been actively exploited in the wild.

This Elevation of Privilege vulnerability was found by renowned researcher Abdelhamid Naceri and reported to Microsoft, which addressed it in their August 2021 release. Naceri noted that Microsoft’s fix was incomplete soon after it was issued and presented a proof of concept (POC) that bypassed it on all Windows versions. That is when the 0patch team, published an unofficial security update for all Windows versions and made it available for free download to all registered users. Microsoft then patched this security flaw in their January 2022 release, tracking it as CVE-2022-21919. Naceri, on the other hand, discovered a way around this second patch. However, Microsoft’s second attempt to fix the bug altered the “profext.dll” file, resulting in the removal of the unofficial workaround of 0patch from everyone who had installed the January 2022 Windows updates.

Organizations could apply the 0patch unofficial patch to patch this vulnerability using the steps given below:

1. Update Windows 10 to the latest March 2022 patch.
2. Create a free account in 0patch Central
3. Install and register the 0patch Agent
4. An automated micro-patching process will initiate to apply this patch.

Potential MITRE ATT&CK TTPs are:

TA0042: Resource Development
T1588: Obtain Capabilities
T1588.006: Obtain Capabilities: Vulnerabilities
TA0001: Initial Access
T1190: Exploit Public-Facing Application
TA0004: Privilege Escalation
T1068: Exploitation for Privilege Escalation
TA0005: Defense Evasion T1548: Abuse Elevation Control Mechanism