AL2021_19 Vulnerability found affecting Windows 10 & 11 (22nd July, 2021)

Description

A vulnerability was found affecting Windows 10 and Windows 11 which allows local elevation privileges of users with low privileges to access sensitive Registry database files.

Summary

The Windows Registry is the configuration repository for the Windows OS and contains hashed passwords, user customization, configuration options for applications and system decryption keys.

There are very sensitive database files associated with the Windows Registry, these database files are stored in the path C:\Windows\system32\config folder and are broken up into different files such as SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE.

Since the files contain information about all user accounts on a device and security tokens used by windows features, they should only be viewed by users with elevated privileges especially the Security Account Manager (SAM) file because this file contains the hashed passwords for all users on the device.

It was discovered that the Registry files associated with SAM are accessible to the ‘Users’ group that has low privileges on a device. Due to these low file permissions a malicious user with limited privileges on a device can get the NTLM hashed passwords for all accounts on that device then use those hashes in a pass-the-hash attack to gain elevated privileges.

It can also be noted that this vulnerability not only allows escalation of privileges, but it also leaves a device open to Silver ticket attacks.

Solution

To know if your device is affected by this vulnerability, you can run the following command in command prompt:

icacls c:\windows\system32\config\sam

If the following permission is displayed, then it means that your windows installation is affected by this vulnerability.

BUILTIN\Users:(I)(RX)

To block exploitation of this vulnerability temporarily you need to take the following steps:

1. Restrict access to the contents of %windir%\system32\config:

  • Open Command Prompt or Windows PowerShell as an administrator.
  • Run this command in Command Prompt:
    icacls %windir%\system32\config\*.* /inheritance:e

    OR

  • Run this command in Windows Powershell:
    icacls $env:windir\system32\config\*.* /inheritance:e

2. Delete Volume Shadow Copy Service (VSS) shadow copies:

  • Delete any System Restore points and Shadow volumes that existed prior to restricting access

to %windir%\system32\config.

https://answers.microsoft.com/en-us/windows/forum/all/how-to-remove- restore-points/9e4537b0-8f1a-454d-9fca-235f592a9d5d

  • Create a new System Restore point (if desired).

https://support.microsoft.com/en-us/windows/create-a-system-restore- point-77e02e2a-3298-c869-9974-ef5658ea3be9

For more information on this alert, please follow the URL:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934

The Guyana National CIRT recommends that users and administrators review this alert and apply updates where necessary.

PDF Download: Vulnerability found affecting Windows 10 &11.pdf

References