A vulnerability named ‘SeriousSAM’ has been discovered on Windows 10 operating system. This local privilege escalation vulnerability allows attackers with low-level permissions to access Windows system files to unmask the operating system installation password and even decrypt private keys. Attackers who exploit this vulnerability could obtain hashed passwords stored in the Security Account Manager (SAM) database and Windows registry. In addition to this, SeriousSAM vulnerability allows the attacker to run arbitrary code with SYSTEM privileges. We recommend all Windows 10 and Windows 11 users learn about how to test and fix the Windows SeriousSAM Vulnerability (CVE-2021-36934) to protect their machines from the SeriousSAM bug.
Table of Contents
What Is Windows SeriousSAM Vulnerability?
Microsoft says, “An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Windows SeriousSAM vulnerability exists in the default configuration of Windows 10 and Windows 11. This is caused by BUILTIN\Users having read access to the following directories.
The safe note is that An attacker can’t exploit this vulnerability sitting remotely. Either he must have the ability to execute code on a victim machine, or he should use any remote code execution vulnerabilities prior to exploiting this vulnerability.
How To Test The Windows SeriousSAM Vulnerability (CVE-2021-36934)?
Microsoft rated this vulnerability as ‘Important’. This vulnerability was made public on Monday by Jonas Lyk. Following that, Kevin Beaumont made the Proof of Concept code public to help system admins identify and test the Windows SeriousSAM Vulnerability (CVE-2021-36934) on their machines. Please don’t skip reading the blog and watch the below video tutorial created by Kevin Beaumont to learn how to test the Windows SeriousSAM Vulnerability (CVE-2021-36934).
How To Fix The Windows SeriousSAM Vulnerability (CVE-2021-36934)?
This Windows SeriousSAM Vulnerability (CVE-2021-36934) is treated as a 0-day vulnerability as there are no patches released so far. However, Microsoft has released some workaround to protect your environment from SeriousSAM vulnerability (CVE-2021-36934). Let’s learn them.
Restrict access to the contents of %windir%\system32\config
- You can do this in two ways:
- Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e
- Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e
- Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config. Create a new System Restore point if needed.
- Restrict SAM files and Registry permissions for all users except the administrator. But, this method may put you at risk if an attacker managed to gain administrator credentials.
- It is better to delete all users from the built-in users’ group, but this will not stop the attacker from reading the SAM and registry if an attacker steals Admin credentials.
- This ensures that there will be no hash stored in the SAM or registry. Somehow this implementation is considered more effective the above two.
Please validate before implementing the above workarounds. Because these may affect your production. We recommend validating this in a staging environment before implementing it on production. Applications that use scheduled tasks and stores users’ hashes locally would fail.
Follow these recommendations if you want to fix the Windows SeriousSAM Vulnerability (CVE-2021-36934) without downtime.
- Set up a test environment that simulates your production environment. Run all the tests as much as you can until you are sure to implement them on the production.
- Verify the impact of each workaround on your testbed. Find out if any application has the dependency of storing hashes locally on the SAM database and clear the dependencies.
- Make sure you implement the previous three workarounds on the new production deployments.
Thanks for reading this post. Please share this post and help secure the digital world.