Windows Vulnerability – CVE-2021-36934

22nd July 2021

An elevation of privilege vulnerability exists because of excessively permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

 

This affects all Windows client and server versions released during the last three years, since October 2018, starting with Windows 10 1809 and Windows Server 2019.

 

This vulnerability could allow an attacker to gain access to the Security Account Manager (SAM) configuration file which may allow them to steal hashed passwords which can then be cracked and used to gain administrative privileges. It may also allow attackers to gather additional data relating to installation passwords and DPAPI computer keys as well as allowing an attacker to install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

 

Microsoft have provided workarounds to address these issues.

The workarounds described are meant to be a temporary solution only until such time as Microsoft release a patch.

Restrict access to the contents of %windir%\system32\config

  • Open Command Prompt or Windows PowerShell as an administrator.
  • Run this command: icacls %windir%\system32\config\*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies

  1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
  2. Create a new System Restore point (if desired).
  3. Impact of workaround Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.
  4. Note You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.

 

Please review Microsoft’s official article here:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934

 

Please raise a case with the Daisy Service Desk should you require any assistance or further information.

 

Talk to one of our specialists.
Call us on
0344 863 3000