Executive Summary

CVE-2021-1732 is a local privilege escalation zero-day vulnerability, that is leveraged by an APT in their ongoing campaigns targeting Windows infrastructure. The attacker exploits a memory bug in the Windows kernel leading to privilege elevation and code execution on the target machine. 

Technical Details

CVE-2021-1732 exists as a result of a memory corruption bug in one of the components (Win32K) in the Windows kernel; upon exploitation, it may trigger out-of-bounds access. Successful exploitation of the bug will give the attacker the ability to obtain System Token that grants the highest privilege to any process in Windows environment leading to potential escalation of privilege from normal user to kernel level which is equivalent to a root user in Linux. The malicious actor pairs this vulnerability with RCE to execute commands on the system with elevated privileges.

Very recently, reports emerged about an APT group dubbed Bitter APT that exploited this bug in their campaigns using the 0-day exploit code.

Affected Platforms

The table given below summarises affected Windows platforms and the respective build versions:

Impact

• System level privilege is the highest privilege in Windows OS, a process with system privilege can have read/ write access for any assets in the environment.
• Only an authenticated attacker can run arbitrary code with elevated privileges.
• Client-side vulnerabilities can be paired with this vulnerability via social engineering, to compromise the victim.

Mitigation

MSRC has rolled out patches in their latest release of Patch Tuesday (February 09 2021):

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732