CVE-2021-31201

What is the Windows Enhanced Cryptographic Provider?

The Microsoft Enhanced Cryptographic Provider (rsaenh.dll) is a Cryptographic Service Provider (CSP) implementing RSA, AES, DES, 3DES, and RC2/RC4 algorithms for Windows applications via the Windows CryptoAPI (CAPI). It is loaded into user-mode processes that call CryptoAPI functions for encryption, decryption, digital signing, and key management. Because cryptographic providers execute within the caller's process and process attacker-influenced inputs (key material, algorithm parameters, data buffers), memory management vulnerabilities in the provider can be exploited through crafted cryptographic API calls. Privilege escalation occurs when manipulated parameters cause the provider to affect resources outside the caller's normal security boundary (S:C — Scope: Changed).

Overview

CVE-2021-31201 is a privilege escalation vulnerability in the Microsoft Enhanced Cryptographic Provider patched in June 2021 Patch Tuesday as a confirmed zero-day. Its CVSS profile — AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N — is identical to CVE-2021-31199, indicating both vulnerabilities share the same fundamental class: a low-privilege local process exploiting the cryptographic provider to cross a security boundary. Both zero-days were discovered by Kaspersky and patched in the same Patch Tuesday cycle. CISA added both to the KEV catalog simultaneously in November 2021, reflecting concurrent active exploitation.

Affected Versions

Technical Details

• Root cause: Privilege escalation vulnerability in the Windows Enhanced Cryptographic Provider (rsaenh.dll) — the specific mechanism is not publicly documented; the identical CVSS profile to CVE-2021-31199 suggests a parallel exploitable condition in the same component, potentially a different code path that achieves the same outcome: a low-privilege process crossing a security boundary via crafted cryptographic API calls
• Scope: Changed (S:C): The exploitable condition reaches beyond the caller's security context — consistent with a cryptographic library vulnerability where attacker-controlled parameters influence execution in a more privileged context (such as affecting another process's cryptographic state or reaching kernel-mode cryptographic operations)
• AV:L/AC:L/PR:L: Local exploitation requiring only low-privilege access with no special timing or race conditions; a low-privilege process that makes specific CryptoAPI calls triggers the privilege escalation
• Paired with CVE-2021-31199: Both CVEs describe distinct exploitable conditions in the same component (rsaenh.dll), both discovered and patched together, both added to KEV together — consistent with a threat actor holding two parallel exploitation techniques for Windows cryptographic infrastructure
• Kaspersky attribution: Consistent with Kaspersky's June 2021 Patch Tuesday discoveries; the same Kaspersky research team that documented the PuzzleMaker exploit chain (CVE-2021-21224/31956/33739) also discovered CVE-2021-31199/31201, suggesting a broader investigation of Windows LPE zero-days during this period

Discovery

Attributed to Kaspersky researchers based on the pattern of June 2021 Patch Tuesday zero-days. Microsoft confirmed in-the-wild exploitation in the security advisory. CISA's simultaneous addition of CVE-2021-31199 and CVE-2021-31201 to KEV in November 2021 reflects ongoing exploitation of unpatched Windows systems beyond the June 2021 patch window.

Exploitation Context

Cryptographic provider LPE zero-days like CVE-2021-31201 are used in targeted attack chains where actors have initial code execution (via a browser, document, or other vector) and require privilege escalation to SYSTEM or another elevated context. The co-exploitation of CVE-2021-31199 and CVE-2021-31201 gives a threat actor two independent paths to privilege escalation via the same component — increasing exploit chain reliability if one path becomes unreliable or fails under specific system conditions. Both were likely used as backup or complementary techniques in the same targeted attack infrastructure. The Windows Enhanced Cryptographic Provider is loaded by nearly every application that performs cryptographic operations, providing a broad attack surface reachable from any low-privilege process on the system.

Remediation

1. Apply June 2021 Patch Tuesday cumulative updates — patches CVE-2021-31201 and CVE-2021-31199 simultaneously in the Enhanced Cryptographic Provider
2. Prioritize both CVE-2021-31199 and CVE-2021-31201 patches together — the same cumulative update addresses both zero-days
3. Maintain Windows fully patched via Windows Update or WSUS — cryptographic provider fixes are included in cumulative updates
4. Enable Windows Defender and behavioral monitoring for unexpected privilege escalation events following cryptographic API usage
5. Use HVCI (Hypervisor-Protected Code Integrity) and Credential Guard to limit exploitation impact by restricting kernel-mode code loading
6. Monitor Windows Security event logs for privilege escalation events associated with rsaenh.dll or unexpected CryptoAPI behavior