CVE-2021-1647: Microsoft Defender Remote Code Execution Vulnerability

Overview

Severity
High (CVSS 7.8)
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
Category
Remote Code Execution
Exploit Status
Actively Exploited
Exploitation Likelihood
Detected
Patch Tuesday
2021-Jan
Released
2021-01-12
Last Updated
2021-01-15
EPSS Score
77.39% (percentile: 99.0%)
CISA KEV
Listed — due 2021-11-17

FAQ

References Identification Last version of the Microsoft Malware Protection Engine affected by this vulnerability Version 1.1.17600.5 First version of the Microsoft Malware Protection Engine with this vulnerability addressed Version 1.1.17700.4 See Manage Updates Baselines Microsoft Defender Antivirus for more information. Microsoft Defender is disabled in my environment, why are vulnerability scanners showing that I am vulnerable to this issue? Vulnerability scanners are looking for specific binaries and version numbers on devices. Microsoft Defender files are still on disk even when disabled. Systems that have disabled Microsoft Defender are not in an exploitable state. Why is no action required to install this update? In response to a constantly changing threat landscape, Microsoft frequently updates malware definitions and the Microsoft Malware Protection Engine. In order to be effective in helping protect against new and prevalent threats, antimalware software must be kept up to date with these updates in a timely manner. For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically. Product documentation also recommends that products are configured for automatic updating. Best practices recommend that customers regularly verify whether software distribution, such as the automatic deployment of Microsoft Malware Protection Engine updates and malware definitions, is working as expected in their environment. How often are the Microsoft Malware Protection Engine and malware definitions updated? Microsoft typically releases an update for the Microsoft Malware Protection Engine once a month or as needed to protect against new threats. Microsoft also typically updates the malware definitions three times daily and can increase the frequency when needed. Depending on which Microsoft antimalware softwa

Detection & Weaponization (2 sources)

Maturity: Detection

  • YARA rules: expl_cve_2021_1647.yar, ARKBIRD_SOLG_EXP_CVE_2021_1647_Apr_2021_1, SIGNATURE_BASE_EXPL_CVE_2021_1647_Apr21_1
  • GitHub PoC: 1 repositories

Affected Products (42)

System Center

  • Microsoft System Center Endpoint Protection
  • Microsoft System Center 2012 R2 Endpoint Protection
  • Microsoft Security Essentials
  • Microsoft System Center 2012 Endpoint Protection
  • Windows Defender on Windows 10 Version 1803 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1803 for x64-based Systems
  • Windows Defender on Windows 10 Version 1803 for ARM64-based Systems
  • Windows Defender on Windows 10 Version 1809 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1809 for x64-based Systems
  • Windows Defender on Windows 10 Version 1809 for ARM64-based Systems
  • Windows Defender on Windows Server 2019
  • Windows Defender on Windows Server 2019 (Server Core installation)
  • Windows Defender on Windows 10 Version 1909 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1909 for x64-based Systems
  • Windows Defender on Windows 10 Version 1909 for ARM64-based Systems
  • Windows Defender on Windows Server, version 1909 (Server Core installation)
  • Windows Defender on Windows 10 Version 2004 for 32-bit Systems
  • Windows Defender on Windows 10 Version 2004 for ARM64-based Systems
  • Windows Defender on Windows 10 Version 2004 for x64-based Systems
  • Windows Defender on Windows Server, version 2004 (Server Core installation)
  • Windows Defender on Windows 10 Version 20H2 for 32-bit Systems
  • Windows Defender on Windows 10 Version 20H2 for ARM64-based Systems
  • Windows Defender on Windows Server, version 20H2 (Server Core Installation)
  • Windows Defender on Windows 10 for 32-bit Systems
  • Windows Defender on Windows 10 for x64-based Systems
  • Windows Defender on Windows 10 Version 1607 for 32-bit Systems
  • Windows Defender on Windows 10 Version 1607 for x64-based Systems
  • Windows Defender on Windows Server 2016
  • Windows Defender on Windows Server 2016 (Server Core installation)
  • Windows Defender on Windows 7 for 32-bit Systems Service Pack 1
  • Windows Defender on Windows 7 for x64-based Systems Service Pack 1
  • Windows Defender on Windows 8.1 for 32-bit systems
  • Windows Defender on Windows 8.1 for x64-based systems
  • Windows Defender on Windows RT 8.1
  • Windows Defender on Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Defender on Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Defender on Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Defender on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Defender on Windows Server 2012
  • Windows Defender on Windows Server 2012 (Server Core installation)
  • Windows Defender on Windows Server 2012 R2
  • Windows Defender on Windows Server 2012 R2 (Server Core installation)

Revision History

  • 2021-01-12: Information published.
  • 2021-01-14: Updated FAQ information. This is an informational change only.
  • 2021-01-15: Added an FAQ. This is an information change only.