Publicly disclosed zero-day vulnerability CVE-2021-36934 in Microsoft Windows 10

Publicly disclosed zero-day vulnerability CVE-2021-36934 in Microsoft Windows 10

Hello everyone,

An Elevation of Privilege vulnerability in Microsoft Windows 10, which grants non-admin users access to SAM, SYSTEM, and SECURITY registry hive files has been discovered recently. 

Vulnerability description: 

Starting with Windows 10 build 1809, the BUILTIN\Users group is given RX permissions to the following files:

c:\Windows\System32\config\sam

c:\Windows\System32\config\system

c:\Windows\System32\config\security

If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:

  • Extract and leverage account password hashes.

  • Discover the original Windows installation password.

  • Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.

  • Obtain a computer machine account, which can be used in a silver ticket attack.


Impact: 
An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attacker must have the ability to execute code on a victim system to exploit this vulnerability.


How to check if your system is vulnerable? 

A vulnerable system will report BUILTIN\Users:(I)(RX) in the output like this:

C:\Windows\system32\config\sam BUILTIN\Administrators:(I)(F)

NT AUTHORITY\SYSTEM:(I)(F)

BUILTIN\Users:(I)(RX)

APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)

APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

Patch status: No patch is available yet for this vulnerability

Workaround:

Restrict access to the contents of %windir%\system32\config

  • Open Command Prompt or Windows PowerShell as an administrator.

  • Run this command: icacls %windir%\system32\config\*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies

  • Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.

  • Create a new System Restore point (if desired).

 

Impact of workaround: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.


Note: You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.


For more details, refer to Microsoft's Security Update Guide 


Cheers,

The ManageEngine Team