Published: July 22, 2021

THIS NOTICE AFFECTS ONLY THOSE RUNNING CERTAIN VERSIONS OF WINDOWS SERVER OR WINDOWS 10 AS NOTED BELOW.

Microsoft (CVE-2021-36934) issued an alert (on July 20, 2021) about the Windows Elevation of Privilege Vulnerability which provides non-privileged user access to system files on affected versions.

If your organization is running an affected version (listed below), then it is recommended that the workaround or mitigations described herein be implemented immediately.

Description

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database.

Determined Impact

An attacker who successfully exploits this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. If a Volume Shadow Copy Service (VSS) shadow copy of the system drive is available, a threat actor may leverage access to these files to perform the following activities:

  • Extract and leverage account password hashes
  • Discover the original Windows installation password
  • Obtain DPAPI computer keys, which can be used to decrypt all computer private keys
  • Obtain a computer machine account, which can be used in a silver ticket attack

Note: Threat actor must have the ability to execute code on a victim’s system to exploit this vulnerability.

Affected Versions

Impact Elevation of Privilege
Severity Important
Affected Versions Windows Server, version 20H2 (Server Core Installation)
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for x64-based Systems
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems

Exploitability

Publicly Disclosed Exploited Exploitability Assessment
Yes No Exploitation More Likely

Mitigations/ Workarounds

  1. Identify Vulnerable Systems: If the affected Windows system contains VSS shadow copy, Microsoft recommends restricting access and deleting old shadow copies. A newly created shadow copy, after following Step 2 below, will help prevent exploitation of this vulnerability. To check if a system has VSS shadow copies available, run the following command from a privileged command prompt: vssadmin list shadows 

    A system with VSS shadow copies will report details of at least one shadow copy that specifies Original Volume: (i.e. C:), such as the following:
     
    vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp.
    Contents of shadow copy set ID: {d9e0503a-bafa-4255-bfc5-b781cb27737e}
    Contained 1 shadow copies at creation time: 7/21/2021 11:19:49 PM
    Shadow Copy ID: {b7f4115b-4242-4e13-84c0-869524965718}
    Original Volume: (C:)\\?\Volume{4c1bc45e-359f-4517-88e4-e985330f72e9}\
    Shadow Copy Volume: \\?\GLOBALROOT\Device\ HarddiskVolumeShadowCopy1
    Originating Machine: Host Name
    Service Machine: Host Name
    Provider: 'Microsoft Software Shadow Copy provider 1.0'
    Type: ClientAccessibleWriters
    Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

    A system without VSS shadow copies will produce output like the following:
     
    vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
    (C) Copyright 2001-2013 Microsoft Corp.
    No items found that satisfy the query.

    To check if a system is vulnerable, the following command can be used from a non-privileged command prompt:
    icacls %windir%\system32\config\sam

    A vulnerable system will report BUILTIN\Users:(I)(RX) in the output like this:
     
    C:\Windows\system32\config\sam BUILTIN\Administrators:(I)(F)
    NT AUTHORITY\SYSTEM:(I)(F)
    BUILTIN\Users:(I)(RX)
    APPLICATION PACKAGE AUTHORITY\ALL APPLICATION
    PACKAGES:(I)(RX)
    APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION
    PACKAGES:(I)(RX)
    Successfully processed 1 files; Failed processing 0 files

    A system that is not vulnerable will report output like this:
     
    C:\Windows\system32\config\sam: Access is denied.
    Successfully processed 0 files; Failed processing 1 files

  2. Mitigate Risk – Restrict Access to Non-privileged Users: Run the following commands to restrict access to the contents of %windir%\system32\config

    Command Prompt (Run as administrator):
    icacls %windir%\system32\config\*.* /inheritance:e

    Windows PowerShell (Run as administrator):
    icacls $env:windir\system32\config\*.* /inheritance:e

    Delete shadow copies after restricting access:
    Follow instructions on KB5005357 and delete Volume Shadow Copy Service (VSS) shadow copies.

Impact of Workaround

Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. For more information on how to delete shadow copies, see KB5005357- Delete Volume Shadow Copies.

Delete any System Restore points and shadow copy volumes that existed prior to restricting access to %windir%\system32\config.

To delete all shadow copies of the system drive, run the following command:
vssadmin delete shadows /for=%systemdrive% /Quiet

Note: Newly created shadow copies, which will contain the proper ACLs, will function as expected. 
Run this command to confirm VSS shadow copy deletion status: vssadmin list shadows

Monitoring the Solution

The EventTracker SOC Team is tracking the process details and command line executed with C:\Windows\system32\config file directory using Saved Searches, Dashboards, and Reports.

References