===================================================================== CERT-Renater Note d'Information No. 2021/VULN370 _____________________________________________________________________ DATE : 21/07/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Windows. ===================================================================== https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 https://kb.cert.org/vuls/id/506989 _____________________________________________________________________ Windows Elevation of Privilege Vulnerability CVE-2021-36934 Faille de sécurité Date de publication : 20/07/2021 Last updated: 20 juil. 2021 Assigning CNA: Microsoft MITRE CVE-2021-36934 Synthèse An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability. We will update this CVE as our investigation progresses. Exploitabilité Le tableau ci-dessous fournit une évaluation d’exploitabilité pour cette vulnérabilité lors de la publication initiale. Divulgué publiquement Exploité Evaluation d’exploitabilité Oui Non Exploitation plus probable Solutions de contournement Restrict access to the contents of %windir%\system32\config Open Command Prompt or Windows PowerShell as an administrator. Run this command: icacls %windir%\system32\config\*.* /inheritance:e Delete Volume Shadow Copy Service (VSS) shadow copies Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config. Create a new System Restore point (if desired). Impact of workaround Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. Note You must restrict access and delete shadow copies to prevent exploitation of this vulnerability. Forum aux questions No versions of Windows are listed in the Security Updates table. Are all versions vulnerable? So far, we can confirm that this issue affects Windows 10 version 1809 and newer operating systems. We will update this CVE as we continue our investigation. If you wish to be notified when updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this CVE. See Microsoft Technical Security Notifications. Remerciements Microsoft reconnaît les efforts des professionnels de la sécurité qui contribuent à protéger les clients par une divulgation coordonnée des vulnérabilités. Pour plus d’informations, consultez la page Remerciements. Clause d’exclusion de responsabilité Les informations contenues dans la Base de connaissances Microsoft sont fournies « en l’état », sans garantie d’aucune sorte. Microsoft exclut toute garantie expresse ou implicite, notamment toute garantie de qualité et d'adéquation à un usage particulier. Microsoft Corporation ou ses fournisseurs ne pourront en aucun cas être tenus pour responsables de tout dommage de quelque nature que ce soit, y compris les dommages directs, indirects, accessoires, consécutifs, pertes de bénéfice ou dommages spéciaux, même si Microsoft Corporation ou ses fournisseurs ont été prévenus de l’éventualité de tels dommages. Certains pays n’autorisent pas l’exclusion ou la limitation des responsabilités pour les dommages indirects ou accessoires, de sorte que la limitation ci-dessus peut ne pas être applicable. Révisions Version Date de révision Description 1.0 20 juil. 2021 Publication d’informations. 1.1 20 juil. 2021 Mise à jour des informations sur la solution de contournement. Il s’agit d’une modification purement informative. _____________________________________________________________________ Microsoft Windows 10 gives unprivileged user access to system32\config files Vulnerability Note VU#506989 Original Release Date: 2021-07-20 | Last Revised: 2021-07-21 Overview Starting with Windows 10 build 1809, non-administrative users are granted read access to files in the %windir%\system32\config directory. This can allow for local privilege escalation (LPE). Description Starting with Windows 10 build 1809, the BUILTIN\Users group is given RX permissions to files in the %windir%\system32\config directory. If a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to: Extract and leverage account password hashes. Discover the original Windows installation password. Obtain DPAPI computer keys, which can be used to decrypt all computer private keys. Obtain a computer machine account, which can be used in a silver ticket attack. Note that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be automatically created. To check if a system has VSS shadow copies available, run the following command from a privileged command prompt: vssadmin list shadows A system with VSS shadow copies will report details of at least one shadow copy that specifies Original Volume: (C:), such as the following: vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. Contents of shadow copy set ID: {d9e0503a-bafa-4255-bfc5-b781cb27737e} Contained 1 shadow copies at creation time: 7/19/2021 10:29:49 PM Shadow Copy ID: {b7f4115b-4242-4e13-84c0-869524965718} Original Volume: (C:)\\?\Volume{4c1bc45e-359f-4517-88e4-e985330f72e9}\ Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 Originating Machine: DESKTOP-PAPIHMA Service Machine: DESKTOP-PAPIHMA Provider: 'Microsoft Software Shadow Copy provider 1.0' Type: ClientAccessibleWriters Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered A system without VSS shadow copies will produce output like the following: vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool (C) Copyright 2001-2013 Microsoft Corp. No items found that satisfy the query. To check if a system is vulnerable, the following command can be used from a non-privileged command prompt: icacls %windir%\system32\config\sam A vulnerable system will report BUILTIN\Users:(I)(RX) in the output like this: C:\Windows\system32\config\sam BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX) Successfully processed 1 files; Failed processing 0 files A system that is not vulnerable will report output like this: C:\Windows\system32\config\sam: Access is denied. Successfully processed 0 files; Failed processing 1 files This vulnerability has been publicly referred to as both HiveNightmare and SeriousSAM, while Microsoft has assigned CVE-2021-36934 to the vulnerability. Impact By accessing files in the Windows 10 %windir%\system32\config directory on a vulnerable system with at least one VSS shadow copy of the system drive, a local authenticated attacker may be able to achieve LPE, masquerade as other users, or achieve other security-related impacts. Solution Please see the Microsoft bulletin for CVE-2021-36934, which contains a workaround. Specifically: Restrict access to %windir%\system32\config Vulnerable systems can enable ACL inheritance for files in the %windir%\system32\config directory by running the following command from an elevated prompt: icacls %windir%\system32\config\*.* /inheritance:e Once the ACLs have been corrected for these files, any VSS shadow copies of the system drive must be deleted to protect a system against exploitation. This can be accomplished with the following command, assuming that your system drive is c:: vssadmin delete shadows /for=c: /Quiet Confirm that VSS shadow copies were deleted by running vssadmin list shadows again. Note that any capabilities relying on existing shadow copies, such as System Restore, will not function as expected. Newly-created shadow copies, which will contain the proper ACLs, will function as expected. Acknowledgements This vulnerability was publicly disclosed by Jonas Lyk, with additional details provided by Benjamin Delpy. This document was written by Will Dormann. Vendor Information Microsoft Affected Notified: 2021-07-20 Updated: 2021-07-20 CVE-2021-36934 Affected Vendor Statement We have not received a statement from the vendor. References https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 References https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 https://twitter.com/jonasLyk/status/1417205166172950531 https://twitter.com/gentilkiwi/status/1417467063883476992 https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/ https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/system-restore-points-disabled#more-information https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5 Other Information CVE IDs: CVE-2021-36934 Date Public: 2021-07-20 Date First Published: 2021-07-20 Date Last Updated: 2021-07-21 13:28 UTC Document Revision: 9 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================