CISA Alerts to Microsoft Windows Win32K Privilege Escalation Flaw

February 10, 2021 - A privilege escalation flaw in Microsoft Win32k could allow an attacker to take control of the affected system. The Department of Homeland Security Cybersecurity and Infrastructure Security Agency is urging all entities to apply the patch to Windows 10 and 2019 servers.

The patch was released as part of 55 vulnerabilities addressed by Microsoft on Patch Tuesday.

Made public on February 9, the CVE-2021-1732 vulnerability is found in Windows Server, versions 1909, 2004, and 20H2, as well as Windows 10. Researchers have already detected an exploitation of the flaw in the wild, which further amplifies the need for entities to patch.

The vulnerability is found in the Windows Win32k operating system kernel and received a severity ranking of 7.8 on the CVSS scale. If successfully exploited, an attacker who is able to log into the system could execute any chosen code within the kernel context to obtain system privileges via a specially crafted application.

As a result, the attacker would gain the ability to freely access or launch any malicious act of their choosing on the compromised system.

“The vulnerable component is not bound to the network stack, and the attacker’s path is via read/write/execute capabilities,” Microsoft researchers warned. “Either: the attacker exploits the vulnerability by accessing the target system locally, e.g. keyboard or console, or remotely.”

“[Alternatively], the attacker relies on user interaction by another person to perform actions required to exploit the vulnerability, e.g. tricking a legitimate user into opening a malicious document,” they added.

The exploit does not require specialized conditions or extenuating circumstances to find success. Further, a hacker can expect repeatable success against the vulnerable component. 

The attacker need only use legitimate credentials to impact settings and files to exploit the vulnerability. On the other hand, an attacker with low level privileges could impact non-sensitive resources. But overall, unpatched systems can be exploited without any user interaction.

Further, a successful exploit will only impact resources managed by the same security authority. There’s a high risk of a total loss of confidentiality with a successful attack, which could result in all resources within the impacted component being divulged to the attacker.

In lesser instances, an exploit may only result in some restricted information being obtained by the actor. But the disclosed information in this circumstance still presents a direct, serious impact.

In one of the worst case scenarios for a successful exploit, a hacker could cause a total loss of availability of the system. An attacker could fully deny access to resources in the impacted component.

“This loss is either sustained, while the attacker continues to deliver the attack, or persistent,” researchers noted.

Entities should apply the software update provided by Microsoft as soon as they’re able to prevent a successful exploit.

In healthcare, where patch management struggles are rampant, it’s crucial for entities to take swift action on known vulnerabilities. Providers accounted for 79 percent of all data breaches in 2020.

Further, the sector has remained a prime target for attack, especially with the vaccine rollout in recent months, with attackers commonly preying on known vulnerabilities to gain network access. Previous insights from a healthcare CISO and from federal agency alerts urge effective patch management.

IU Health CISO Mitch Parker recently explained that healthcare entities that fail to timely patch lower “the security of [their] entire network to accommodate it and use it.”

“Providers now, because of the complete change in infrastructure, are facing a greater number of vulnerabilities, and we have to ensure the care strategy that we now have can meet our needs,” he added.