Published: July 22, 2021
THIS NOTICE AFFECTS ONLY THOSE RUNNING CERTAIN VERSIONS OF WINDOWS SERVER OR WINDOWS 10 AS NOTED BELOW.
Microsoft (CVE-2021-36934) issued an alert (on July 20, 2021) about the Windows Elevation of Privilege Vulnerability which provides non-privileged user access to system files on affected versions.
If your organization is running an affected version (listed below), then it is recommended that the workaround or mitigations described herein be implemented immediately.
Description
An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database.
Determined Impact
An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. If a Volume Shadow Copy Service (VSS) shadow copy of the system drive is available, a threat actor may leverage access to these files to perform the following activities:
- Extract and leverage account password hashes
- Discover the original Windows installation password
- Obtain DPAPI computer keys, which can be used to decrypt all computer private keys
- Obtain a computer machine account, which can be used in a silver ticket attack
Note: Threat actor must have the ability to execute code on a victim’s system to exploit this vulnerability.
Affected Versions
| Impact | Elevation of Privilege |
| Severity | Important |
| Affected Versions | Windows Server, version 20H2 (Server Core Installation) |
| Windows 10 Version 20H2 for ARM64-based Systems | |
| Windows 10 Version 20H2 for 32-bit Systems | |
| Windows 10 Version 20H2 for x64-based Systems | |
| Windows Server, version 2004 (Server Core installation) | |
| Windows 10 Version 2004 for x64-based Systems | |
| Windows 10 Version 2004 for ARM64-based Systems | |
| Windows 10 Version 2004 for 32-bit Systems | |
| Windows 10 Version 21H1 for 32-bit Systems | |
| Windows 10 Version 21H1 for ARM64-based Systems | |
| Windows 10 Version 21H1 for x64-based Systems | |
| Windows 10 Version 1909 for ARM64-based Systems | |
| Windows 10 Version 1909 for x64-based Systems | |
| Windows 10 Version 1909 for 32-bit Systems | |
| Windows Server 2019 (Server Core installation) | |
| Windows Server 2019 | |
| Windows 10 Version 1809 for ARM64-based Systems | |
| Windows 10 Version 1809 for x64-based Systems | |
| Windows 10 Version 1809 for 32-bit Systems |
Exploitability
| Publicly Disclosed | Exploited | Exploitability Assessment |
|---|---|---|
| Yes | No | Exploitation More Likely |
Mitigations/ Workarounds
- Identify Vulnerable Systems: If the affected Windows system contains VSS shadow copy, Microsoft
recommends restricting access and deleting old shadow copies. A newly created shadow copy, after following Step
2 below, will help prevent exploitation of this vulnerability. To check if a system has VSS shadow copies
available, run the following command from a privileged command prompt: vssadmin list shadows
A system with VSS shadow copies will report details of at least one shadow copy that specifies Original Volume: (i.e. C:), such as the following:
vssadmin 1.1 – Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp.
A system& without VSS shadow copies will produce output like the following:
Contents of shadow copy set ID: {d9e0503a-bafa-4255-bfc5-b781cb27737e}
Contained 1 shadow copies at creation time: 7/21/2021 11:19:49 PM
Shadow Copy ID: {b7f4115b-4242-4e13-84c0-869524965718}
Original Volume: (C:)\\?\Volume{4c1bc45e-359f-4517-88e4-e985330f72e9}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\ HarddiskVolumeShadowCopy1
Originating Machine: Host Name
Service Machine: Host Name
Provider: ‘Microsoft Software Shadow Copy provider 1.0’
Type: ClientAccessibleWriters
Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recoveredvssadmin 1.1 – Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
No items found that satisfy the query.
To check if a system is vulnerable, the following command can be used from a non-privileged command prompt:
icacls %windir%\system32\config\samA vulnerable system will report BUILTIN\Users:(I)(RX) in the output like this:
C:\Windows\system32\config\sam BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION
PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION
PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 filesA system that is not vulnerable will report output like this:
C:\Windows\system32\config\sam: Access is denied.
Successfully processed 0 files; Failed processing 1 files - Mitigate Risk – Restrict Access to Non-privileged Users: Run the following commands to
restrict access to the contents of %windir%\system32\config
Command Prompt (Run as administrator):
icacls %windir%\system32\config\*.* /inheritance:e
Windows PowerShell (Run as administrator):
icacls $env:windir\system32\config\*.* /inheritance:e
Delete shadow copies after restricting access:
Follow instructions on KB5005357 and delete Volume Shadow Copy Service (VSS) shadow copies.
Impact of Workaround
Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. For more information on how to delete shadow copies, see KB5005357- Delete Volume Shadow Copies.
Delete any System Restore points and shadow copy volumes that existed prior to restricting access to %windir%\system32\config.
To delete all shadow copies of the system drive, run the following command:
vssadmin delete shadows /for=%systemdrive% /Quiet
Note: Newly created shadow copies, which will contain the proper ACLs, will function as expected.
Run this command to confirm VSS shadow copy deletion status: vssadmin list shadows
Monitoring the Solution
The EventTracker SOC Team is tracking the process details and command line executed with C:\Windows\system32\config file directory using Saved Searches, Dashboards, and Reports.
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934
- https://kb.cert.org/vuls/id/506989
- https://us-cert.cisa.gov/
- https://support.microsoft.com/en-gb/topic/kb5005357-delete-volume-shadow-copies-1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7
- https://library.netapp.com/ecmdocs/ECMP1401220/html/GUID-9320A39F-F278-4368-B8AB-561856881E5F.html