Cisco Talos is releasing new SNORTⓇ rules to protect against the exploitation of a zero-day elevation of privilege vulnerability in Microsoft Windows Installer. This vulnerability allows an attacker with a limited user account to elevate their privileges to become an administrator. This vulnerability affects every version of Microsoft Windows, including fully patched Windows 11 and Server 2022. Talos has already detected malware samples in the wild that are attempting to take advantage of this vulnerability.
Microsoft released an update that was intended to fix CVE-2021-41379 on Nov. 9 as part of its monthly security update. Security researcher Abdelhamid Naceri initially discovered this elevation of privilege vulnerability and worked with Microsoft to address it. However, the patch released by Microsoft was not sufficient to remediate the vulnerability, andNaceri published proof-of-concept exploit code on GitHub on Nov. 22 that works despite the fixes implemented by Microsoft. The code Naceri released leverages the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI file, allowing an attacker to run code as an administrator.
Although Microsoft initially scored this as a medium- severity vulnerability, having a base CVSS score of 5.5, and a temporal score of 4.8, the release of functional proof-of-concept exploit code will certainly drive additional abuse of this vulnerability. As of the publication of this blog, there is no patch available from Microsoft.
Snort rule SIDs 58635 and 58636 will keep users protected from exploitation of this vulnerability. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.