Publicly disclosed zero-day vulnerability CVE-2021-36934 in Microsoft Windows 10

Publicly disclosed zero-day vulnerability CVE-2021-36934 in Microsoft Windows 10

Hello everyone,

An Elevation of Privilege vulnerability in Microsoft Windows 10, which grants non-admin users access to SAM, SYSTEM, and SECURITY registry hive files has been discovered recently. 

Vulnerability description: 

Starting with Windows 10 build 1809, the BUILTIN\Users group is given RX permissions to the following files:

c:\Windows\System32\config\sam

c:\Windows\System32\config\system

c:\Windows\System32\config\security

If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:

  • Extract and leverage account password hashes.

  • Discover the original Windows installation password.

  • Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.

  • Obtain a computer machine account, which can be used in a silver ticket attack.


Impact: 
An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attacker must have the ability to execute code on a victim system to exploit this vulnerability.


How to check if your system is vulnerable? 

A vulnerable system will report BUILTIN\Users:(I)(RX) in the output like this:

C:\Windows\system32\config\sam BUILTIN\Administrators:(I)(F)

NT AUTHORITY\SYSTEM:(I)(F)

BUILTIN\Users:(I)(RX)

APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)

APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

Patch status: No patch is available yet for this vulnerability

Workaround:

Restrict access to the contents of %windir%\system32\config

  • Open Command Prompt or Windows PowerShell as an administrator.

  • Run this command: icacls %windir%\system32\config\*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies

  • Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.

  • Create a new System Restore point (if desired).

 

Impact of workaround: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.


Note: You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.


For more details, refer to Microsoft's Security Update Guide 


This vulnerability can be found under the 'Zero-day vulnerabilities' tab in Vulnerability Manager Plus.


Cheers,

The ManageEngine Team