Windows 2004/20H2 vuln
Date of Notice: 5/20/2021
Description
MCNC would like to make you aware of a new threat affecting some versions of Windows 10 and Windows Server. This exploit, tracked as CVE-2021-31166, is believed to allow remote code execution and could be wormable (i.e. spread from device to device without human interaction) in the near future.
Due to the nature and critical severity of this vulnerability, and its ability to impact Windows devices that are internal to your network, MCNC recommends patching as soon as possible.
Full information including affected versions and update downloads can be found on the official Microsoft security page.
Affected Devices
- Windows 10 versions 2004 or 20H2
- Windows Server Semi-Annual Channel (SAC) versions 2004 or 20H2
- NOTE:This does not affect Long-Term Servicing Channel (LTSC) Windows Server such as Server 2016 or 2019.
Attack Vector
Any student, employee, or person with internal or external network access to a vulnerable device may exploit this vulnerability.
Attack Feasibility
Currently there is a proof of concept freely available on GitHub which permits any device capable of running Python to execute a forced reboot of the target device. The attacker only needs the IP Address of the target machine and can easily execute this repeatedly in a sweeping fashion to disrupt the learning environment.
Mitigations
As network access is required to exploit this vulnerability, properly segmented networks will prevent a scenario where a student attempts to exploit an instructor device to disrupt learning. For externally facing Windows Server SAC 2004 and 20H2, any bad actor with IP access can exploit this vulnerability.
Remediation
Because simple network access is required, the only true remediation is to update these devices as soon as possible.