CVE-2021-31199

What is the Windows Enhanced Cryptographic Provider?

The Microsoft Enhanced Cryptographic Provider (rsaenh.dll) is a Cryptographic Service Provider (CSP) that implements RSA, AES, DES, and other cryptographic algorithms for Windows. It is used by Windows components and applications via the Windows CryptoAPI (CAPI) to perform encryption, decryption, signing, and key management operations. Because cryptographic operations are performed in the calling process's context and the Enhanced Cryptographic Provider processes attacker-influenced cryptographic inputs (key material, data buffers, algorithm parameters), vulnerabilities in how it manages memory or validates inputs can result in memory corruption. Privilege escalation via cryptographic provider vulnerabilities can occur when the processing of specially crafted cryptographic parameters results in memory corruption exploitable for cross-boundary privilege escalation.

Overview

CVE-2021-31199 is a privilege escalation vulnerability in the Microsoft Enhanced Cryptographic Provider that was exploited as a zero-day and patched in June 2021 Patch Tuesday. The Scope: Changed (S:C) classification indicates that successful exploitation affects resources outside the cryptographic provider's normal security boundary — consistent with a cryptographic library vulnerability that can be leveraged to affect the calling process's security context or reach across privilege boundaries. CVE-2021-31199 was patched alongside CVE-2021-31201 (same component, same classification), suggesting concurrent exploitation of two vulnerabilities in the same Windows cryptographic infrastructure. Discovered by Kaspersky researchers. CISA added both to the KEV catalog in November 2021.

Affected Versions

Technical Details

• Root cause: Privilege escalation vulnerability in the Windows Enhanced Cryptographic Provider (rsaenh.dll) — the specific mechanism is not publicly documented, but the S:C/C:L/I:L profile suggests a boundary crossing via a cryptographic API call where attacker-controlled parameters cause the provider to affect resources outside its normal scope (such as the calling process's security context or other processes' cryptographic state)
• Scope: Changed (S:C): The exploitable condition crosses a security boundary — from a low-privilege caller's context into a more privileged execution context; this is consistent with cryptographic API misuse that can reach kernel mode or affect privileged processes' cryptographic operations
• AV:L/AC:L/PR:L: Local exploitation requiring only low-privilege access and no special timing or conditions; a low-privilege process that makes specific cryptographic API calls triggers the privilege escalation
• Paired vulnerability: CVE-2021-31199 and CVE-2021-31201 were patched in the same Patch Tuesday as zero-days in the same component; both were attributed to Kaspersky's discovery of active exploitation, suggesting they were used in coordinated or concurrent targeted attacks against Windows cryptographic infrastructure
• Kaspersky discovery context: Kaspersky documented multiple Windows zero-days in this timeframe (also discovering the PuzzleMaker chain CVE-2021-31956/33739 and CVE-2021-31955); CVE-2021-31199/31201 may have been components of a similar APT exploit chain observed in the same investigation period

Discovery

Attributed to Kaspersky researchers based on the pattern of June 2021 Patch Tuesday zero-days discovered in active exploitation. Microsoft patched both CVE-2021-31199 and CVE-2021-31201 in the same Patch Tuesday cycle with acknowledgment of in-the-wild exploitation. CISA added both to KEV in November 2021, reflecting continued exploitation of unpatched Windows systems.

Exploitation Context

Windows cryptographic provider vulnerabilities are exploited in targeted attacks where actors have initial code execution and require privilege escalation to a higher security context. The Enhanced Cryptographic Provider handles operations for many Windows components and applications, providing a broad attack surface that is reachable from low-privilege processes. CVE-2021-31199 and CVE-2021-31201's simultaneous exploitation suggests they were held and used together by the same threat actor — consistent with an APT group that maintained a pipeline of Windows LPE zero-days during the June 2021 timeframe, similar to the PuzzleMaker campaign documented by Kaspersky.

Remediation

1. Apply June 2021 Patch Tuesday cumulative updates for all Windows versions — patches CVE-2021-31199 and CVE-2021-31201 in the Enhanced Cryptographic Provider
2. Apply both CVE-2021-31199 and CVE-2021-31201 patches simultaneously — the same Patch Tuesday update addresses both
3. Keep Windows fully updated via Windows Update or WSUS — Cryptographic Provider patches are part of cumulative Windows updates
4. Enable Windows Defender and ensure behavioral monitoring of cryptographic API calls is active
5. Use HVCI (Hypervisor-Protected Code Integrity) and Credential Guard to limit the exploitability of local privilege escalation — these mitigations restrict what kernel-mode code can be loaded, limiting the scope of exploitation
6. Monitor for unexpected privilege escalation events in Windows Security event logs following low-privilege process execution