Microsoft Issues Security Advisory on ‘SeriousSAM’ Elevation of Privilege Flaw in Windows Client Systems
By Kurt Mackie
Microsoft on Tuesday issued a security advisory about an elevation-of-privilege vulnerability (CVE-2021-36934) present in Windows 10 and Windows 11 client operating systems.
The vulnerability could permit an attacker to “run arbitrary code with SYSTEM privileges,” Microsoft indicated in the advisory. If attackers have the ability to execute code on a victim’s system, then they could also “install programs; view, change, or delete data; or create new accounts with full user rights,” the advisory added.
The advisory attributed the vulnerability to “overly permissive Access Control Lists” for system files, “including the Security Accounts Manager (SAM) database.” SAM is a component in Windows systems that’s used to store user passwords for local and remote authentication.
The Windows CVE-2021-36934 vulnerability has been publicly disclosed, but it hasn’t been exploited yet, according to Microsoft’s advisory. Microsoft is currently investigating it.
Affects Windows 10 Version 1809 and Newer
The vulnerability has been present in newer Windows client operating systems for about three years, explained Bojan Zdrnja, a certified SANS instructor.
“Apparently starting with Windows 10 1809 (hey, that’s a version from 2018) Microsoft messed up permissions on the SAM and SYSTEM hives which became readable for any user on the system,” Zdrnja stated in this SANS Internet Storm Center post.
System hives are a bunch of keys, subkeys and values in the registry that get created when users log into Windows, per this Microsoft document description.
Zdrnja further explained how reading the SAM and system hives could enable elevation of privilege on Windows clients:
Well, since the SAM and SYSTEM hives are really important, by reading them we can retrieve hashes of all local accounts on the system. And by having the hash of a local administrator we have Local Privilege Escalation being served to us on a silver (pun intended) plate.
No Patch, but Workaround Available
There’s no Common Vulnerability Scoring System ranking for the CVE-2021-36934 vulnerability. Worse, no patch for it is available.
The advisory offered a two-step “workaround” in the meantime. It consists of restricting access and also deleting shadow copies to prevent exploits. Shadow copies are backup copies of files produced by the Volume Shadow Copy Service (VSS) in Windows. VSS is turned on by default for Windows systems with disk storage greater than 128GB, according to Zdrnja:
VSS is a feature that is enabled automatically on Windows and that allows us to restore previous copies in case something got messed up during installation of a new application or patch, for example. If your system disk is greater than 128 GB, it will be enabled automatically!
Following Microsoft’s workaround advice might not permit data restores to occur, per the security advisory.
“Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications,” the advisory indicated.
“With all due respect, that’s not a good workaround,” noted Susan Bradley, a patch expert and Microsoft Most Valuable Professional, in this Twitter post.
Zdrnja was also stumped, saying “to be honest — I’m not sure what’s the best way to mitigate this currently, apart from disabling/removing VSS copies.”
Kevin Beaumont, a security researcher and former Microsoft employee, confirmed the exploit, saying that “it looks like the ACLs have been set wrong in Win10 on SAM database,” per this Twitter thread.
Security researchers are referring to CVE-2021-36934 as “HiveNightmare” or “SeriousSAM.” It’s a “zero-day” vulnerability (not previously known by Microsoft), according to Satnam Narang, a staff research engineer with security solutions firm Tenable.
“It allows non-administrative users to read sensitive files that are normally restricted to administrators,” Narang explained.
“At this point, mitigation is limited to modify access control lists to prevent users from reading specific files as well as removing VSS shadow copies from the system,” Narang added via e-mail. “These mitigations could impact certain functionality of the system.”