0patch fixes Windows Installer LPE-Bug (CVE-2021-26415)

[German]ACROS Security has released a micropatch for the CVE-2021-26415 vulnerability in Windows Installer. This vulnerability was patched by Microsoft in April 2021 via a security update. The 0patch solution is for people who do not have an ESU license.


The vulnerability CVE-2021-26415

Vulnerability CVE-2021-26415 is a vulnerability in Windows Installer that allows Elevation of Privilege on Windows. This vulnerability allows local attackers to write data to arbitrary files on affected installations of Microsoft Windows. An attacker must first gain the ability to execute low-privilege code on the target system to exploit this vulnerability.

The specific flaw exists within the Windows Installer service. The issue results from the lack of proper validation of a user-supplied path before it is used in file operations. An attacker can exploit this vulnerability to escalate privileges and execute arbitrary code in the context of an administrator. The vulnerability is a classic symbolic link issue where a privileged process (in this case msiexec.exe) operates on a file (in this case the installer log file) that the attacker can "redirect" to another location where they do not have privileges to create or modify files.

Microsoft has released security updates for Windows Server 2008 R2 through Windows Server 2004 and 20H2 as of April 13, 2021. However, Windows Server 2008 R2 systems will only receive this security update if a valid ESU license is in place. On April 21, security researcher Adrian Denkiewicz published a detailed analysis of the local privilege escalation vulnerability in Windows Installer, which was fixed in the April 2021 Windows Updates. Adrian's analysis included a proof-of-concept. 

0patch Micropatch for Windows 7/Server 2008 R2

Mitja Kolsek of ACROS Security points out in the following tweet that there is a micropatch for the vulnerability in Windows Installer for Windows 7 SP1 and Windows Server 2008 R2.

0Patch Fix für CVE-2021-26415


The micropatch is available for systems running Windows 7 SP1 and Windows Server 2008 R2 that do not have Extended Security Update support (ESU) from Microsoft, but have an opatch Pro subscription (for 23 Euro+VAT/year) – see also this blog post. Notes on how the 0patch agent works, which loads the micropatches into memory at runtime of an application, can be found in the blog posts (like here).

Similar articles:
Windows 7: Forcing February 2020 Security Updates – Part 1
Windows 7: Securing with the 0patch solution – Part 2
0patch supports Office 2010 with micro patches after the end of support (EOL)
Windows 7/Server 2008/R2: 0patch delivers security patches after support ends
Project: Windows 7/Server 2008/R2 Life Extension & 0patch one month trial
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
0patch fixes CVE-2020-1062 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1300 in Windows 7/Server 2008 R2
0patch fixes 0-day vulnerability in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1013 in Windows 7/Server 2008 R2
0patch fixes a Local Privilege Escalation 0-day in Sysinternals PsExec
0patch fixes Windows Installer 0-day Local Privilege Escalation vulnerability
0patch fixes 0-day in Internet Explorer
0patch fixes CVE-2021-26877 in the DNS server of Windows Server 2008 R2

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *