Windows PKU2U Elevation of Privilege Vulnerability (CVE-2021-25195, Critical)

Yesterday, for its February 2021 Patch Tuesday, Microsoft released a critical security update for PKU2U. This vulnerability is known as CVE-2021-25195 and rated with CVSSv3.0 scores of 7.8/6.8.


About PKU2U Authentication

PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows user accounts.

Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Support Provider (SSP) supports an extension SSP, negoexts.dll. This extension SSP is treated as an authentication protocol by the Windows operating system. It supports SSPs from Microsoft, including PKU2U.

When devices are configured to accept authentication requests by using online IDs, such as Microsoft account, negoexts.dll calls the PKU2U SSP on the device that's used to sign in. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When it's validated on the peer device, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the sign-in process completes.

The Network security: Allow PKU2U authentication requests to this computer to use online identities policy setting (located in Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options) isn't configured by default on domain-joined devices. This would disallow online identities to authenticate to domain-joined devices in Windows 7 and later.

However, when the policy setting is Enabled, it allows authentication to successfully complete between the two (or more) devices that have established a peer relationship through the use of online IDs.

However, the PKU2U functionality is often enabled through the setting to allow Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device. In this case, the setting is Enabled on both ends.


About the vulnerability

An Elevation of Privilege (EoP) vulnerability exists in PKU2U authentication. An attacker who successfully exploited the vulnerability could run processes in an elevated context. To exploit the vulnerability, an attacker would first have to log on to the system.


The vulnerability was internally disclosed by Maxwell Whitaker of Microsoft’s Security Assurance and Vulnerability Research team.


All Windows versions and Windows Server versions are affected, as far back as Windows 7. Both Full installations and Server Core installations of Windows Server are affected.

MITIGATIONS and workarounds

Microsoft has not identified that Windows installations and Windows Server installations that do not allow PKU2U authentication are not vulnerable to CVE-2021-25195.


Call to Action

If your servers are not configured to allow the use of PKU2U authentication, they would not be vulnerable. Disabling the Network security: Allow PKU2U authentication requests to this computer to use online identities policy setting would render domain-joined devices and Widnows Servers invulnerable to CVE-2021-25195.

In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you do not use PKU2U authentication.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.