Hello everyone,
An Elevation of Privilege vulnerability in Microsoft Windows 10, which grants non-admin users access to SAM, SYSTEM, and SECURITY registry hive files has been discovered recently.Vulnerability description:
c:\Windows\System32\config\sam
c:\Windows\System32\config\system
c:\Windows\System32\config\security
If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:
Extract and leverage account password hashes.
Discover the original Windows installation password.
Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
Obtain a computer machine account, which can be used in a silver ticket attack.
An attacker must have the ability to execute code on a victim system to exploit this vulnerability.
How to check if your system is vulnerable?
A vulnerable system will report BUILTIN\Users:(I)(RX) in the output like this:
C:\Windows\system32\config\sam BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 filesWorkaround:
Restrict access to the contents of %windir%\system32\config
Open Command Prompt or Windows PowerShell as an administrator.
Run this command: icacls %windir%\system32\config\*.* /inheritance:e
Delete Volume Shadow Copy Service (VSS) shadow copies
Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
Create a new System Restore point (if desired).
Impact of workaround: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.
Note: You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.
For more details, refer to Microsoft's Security Update Guide
This vulnerability can be found under the 'Zero-day vulnerabilities' tab in Vulnerability Manager Plus.
Cheers,
The ManageEngine Team