A security researcher has discovered a zero-day vulnerability in Windows Mobile Device Management that could allow local privilege escalation (LPE).
Microsoft originally issued a security update for the vulnerability CVE-2021-24084 in February 2021. The issue was reported by researcher Abdelhamid Naceri as an information disclosure vulnerability back in October 2020.
However, Naceri recently discovered CVE-2021-24084 could also lead to LPE using an exploitation approach for the HiveNightmare/SeriousSAM bug. Moreover, Naceri warned in a tweet there is still no official long term patch to address the issue:
Mitja Kolsek of 0Patch team further described the vulnerability in a blog post November 26:
“The vulnerable functionality resides under the ‘Access work or school’ settings and can be triggered by clicking on ‘Export your management log files’ and confirming by pressing ‘Export’. At that point, the Device Management Enrollment Service is triggered, running as Local System.”
“This service first copies some log files to the C:\ProgramData\Microsoft\MDMDiagnostics folder, and then packages them into a CAB file whereby they’re temporarily copied to C:\Windows\Temp folder. The resulting CAB file is then stored in the C:\Users\Public\Public Documents\MDMDiagnostics folder, where the user can freely access it,” Kolsek added.
0Patch subsequently issued a micropatch as a temporary fix for the information disclosure vulnerability CVE-2021-24084 until a permanent Microsoft patch is issued.
- Microsoft issues workaround for zero-day ‘SeriousSAM’ vulnerability
- FBI alert: APT actors exploit 0-Day FatPipe VPN vulnerabilities
- Microsoft November 2021 Security Updates includes fixes for 2 zero-days under active exploit
- Microsoft February 2021 Security Updates, warns of Win32k Privilege Escalation vulnerability exploited in wild (updated)