Unpatched Information Disclosure Vulnerability affects Microsoft Windows (zero-day) (CVE-2021-24084)

Security researchers have discovered an unpatched Windows OS security vulnerability that could allow information disclosure and local privilege escalation (LPE). The flaw (CVE-2021-24084) has yet to be officially fixed, making it an important vulnerability. However, an unofficial patch has been released as a workaround. 
 
The vulnerability affects the Windows Mobile Device Management component, and it could allow unauthorized access to the filesystem and the reading of arbitrary data. 
 
Abdelhamid Naceri was the researcher who first discovered and reported the flaw in October 2020, after which Microsoft fixed it in February 2021 Patch Tuesday releases. 
 
However, in June 2021, Naceri discovered the patch could be bypassed to achieve the same goal. In this month, the researcher also found that the incompletely fixed vulnerability could also be used to get administrator access and launch malicious malware on Windows 10 devices running the latest security updates. 
 
Regardless of the dangers that the vulnerability poses, it could be exploited if certain conditions were met. One of them requires that the system protection feature on C: Drive be enabled, while another one necessitates the creation of a local administrator account on the machine. 
 
Affected versions  
Windows versions that are affected by this vulnerability are:  

  • Windows 10 v21H1 (32 & 64 bit) updated with November 2021 Updates 
  • Windows 10 v20H2 (32 & 64 bit) updated with November 2021 Updates 
  • Windows 10 v2004 (32 & 64 bit) updated with November 2021 Updates 
  • Windows 10 v1909 (32 & 64 bit) updated with November 2021 Updates 
  • Windows 10 v1903 (32 & 64 bit) updated with November 2021 Updates 
  • Windows 10 v1809 (32 & 64 bit) updated with May 2021 Updates 

Mitigation  
Microsoft has not released patches that remediate the vulnerability. Customers are advised to contact Microsoft regarding official updates or workarounds. 
 
Qualys Detection  
Qualys customers can scan their devices with QID 91842 to detect vulnerable assets.  
  
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.  
  
References 
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24084  
https://thehackernews.com/2021/11/unpatched-unauthorized-file-read.html  
https://sensorstechforum.com/cve-2021-24084-windows-10-information-disclosure/  
https://threatpost.com/unpatched-windows-zero-day-privileged-file-access/176609/ 
https://securityaffairs.co/wordpress/125061/security/unofficial-patches-cve-2021-24084-zeroday.html

Leave a Reply

Your email address will not be published. Required fields are marked *