Hello everyone,An Elevation of Privilege vulnerability in Microsoft Windows 10, which grants non-admin users access to SAM, SYSTEM, and SECURITY registry hive files has been discovered recently.
If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:
Extract and leverage account password hashes.
Discover the original Windows installation password.
Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
Obtain a computer machine account, which can be used in a silver ticket attack.
An attacker must have the ability to execute code on a victim system to exploit this vulnerability.
How to check if your system is vulnerable?
A vulnerable system will report BUILTIN\Users:(I)(RX) in the output like this:
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)Successfully processed 1 files; Failed processing 0 files
Restrict access to the contents of %windir%\system32\config
Open Command Prompt or Windows PowerShell as an administrator.
Run this command: icacls %windir%\system32\config\*.* /inheritance:e
Delete Volume Shadow Copy Service (VSS) shadow copies
Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
Create a new System Restore point (if desired).
Impact of workaround: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.
Note: You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.
For more details, refer to Microsoft's Security Update Guide
Cheers,The ManageEngine Team