Table of Contents
July 28, 2021
|4m
How To Fix The Windows SeriousSAM Vulnerability (CVE-2021-36934)?
A vulnerability named ‘SeriousSAM’ has been discovered on Windows 10 operating system. This local privilege escalation vulnerability allows attackers with low-level permissions to access Windows system files to unmask the operating system installation password and even decrypt private keys. Attackers who exploit this vulnerability could obtain hashed passwords stored in the Security Account Manager (SAM) database and Windows registry. In addition to this, SeriousSAM vulnerability allows the attacker to run arbitrary code with SYSTEM privileges. We recommend all Windows 10 and Windows 11 users learn about how to test and fix the Windows SeriousSAM Vulnerability (CVE-2021-36934) to protect their machines from the SeriousSAM bug.What Is Windows SeriousSAM Vulnerability?
Microsoft says, “An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Windows SeriousSAM vulnerability exists in the default configuration of Windows 10 and Windows 11. This is caused by BUILTIN\Users having read access to the following directories.
c:\Windows\System32\config\sam
c:\Windows\System32\config\system
c:\Windows\System32\config\security
The safe note is that An attacker can’t exploit this vulnerability sitting remotely. Either he must have the ability to execute code on a victim machine, or he should use any remote code execution vulnerabilities prior to exploiting this vulnerability.
How To Test The Windows SeriousSAM Vulnerability (CVE-2021-36934)?
Microsoft rated this vulnerability as ‘Important’. This vulnerability was made public on Monday by Jonas Lyk. Following that, Kevin Beaumont made the Proof of Concept code public to help system admins identify and test the Windows SeriousSAM Vulnerability (CVE-2021-36934) on their machines. Please don’t skip reading the blog and watch the below video tutorial created by Kevin Beaumont to learn how to test the Windows SeriousSAM Vulnerability (CVE-2021-36934).
How To Fix The Windows SeriousSAM Vulnerability (CVE-2021-36934)?
This Windows SeriousSAM Vulnerability (CVE-2021-36934) is treated as a 0-day vulnerability as there are no patches released so far. However, Microsoft has released some workaround to protect your environment from SeriousSAM vulnerability (CVE-2021-36934). Let’s learn them.
Restrict access to the contents of %windir%\system32\config
You can do this in two ways:
Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e
Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e
Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config. Create a new System Restore point if needed.
Restrict SAM files and Registry permissions for all users except the administrator. But, this method may put you at risk if an attacker managed to gain administrator credentials.
It is better to delete all users from the built-in users’ group, but this will not stop the attacker from reading the SAM and registry if an attacker steals Admin credentials.
This ensures that there will be no hash stored in the SAM or registry. Somehow this implementation is considered more effective the above two.
Please validate before implementing the above workarounds. Because these may affect your production. We recommend validating this in a staging environment before implementing it on production. Applications that use scheduled tasks and stores users’ hashes locally would fail.
Follow these recommendations if you want to fix the Windows SeriousSAM Vulnerability (CVE-2021-36934) without downtime.
Set up a test environment that simulates your production environment. Run all the tests as much as you can until you are sure to implement them on the production.
Verify the impact of each workaround on your testbed. Find out if any application has the dependency of storing hashes locally on the SAM database and clear the dependencies.
Make sure you implement the previous three workarounds on the new production deployments.
Thanks for reading this post. Please share this post and help secure the digital world.
You may also like these articles:
How To Fix CVE-2022-26809- A Critical RCE Vulnerability In Windows RPC Runtime
How To Fix CVE-2022-22718- A Privilege Escalation Vulnerability In Windows Print Spooler
How To Mitigate The Print Spooler Vulnerability – PringNightmare CVE-2021-34527
How To Fix CVE-2021-24084- Information Discloser Vulnerability In Windows 10?
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- November 20, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- November 20, 2024
