A security researcher has discovered a serious vulnerability in the Windows 10 operating system that allows attackers to gain access to elevated privileges and user account passwords. SeriousSAM vulnerability (CVE-2021-36934) has no patch released so far. However, Microsoft has released several workarounds to protect the environment from the SeriousSAM vulnerability (CVE-2021-36934).
The vulnerability, discovered by Jonas Leek over the weekend, is related to how Windows 10 provides access to certain operating system configuration files. These are important Windows folders because they store information such as hashed passwords for all Windows user accounts, security settings, encryption key information, and other configuration information about the underlying operating system.
Steal Information with Coding
An attacker who can read files from these locations can extract sensitive information that could allow them to gain access to user passwords and system settings that could be used for malicious purposes. Because of the sensitive data, they store, only Windows administrator accounts can interact with these configuration files.
This bug allows an attacker to execute arbitrary code with add-on benefits. By chance, if the attacker gets to imbibe the code inside the system of the victim, they can easily view, make changes to the warning attributes and the vulnerability on system files, including the Security Accounts Manager (SAM) database.
Although previous versions of the Windows operating system restricted access to these files to the shadow copy feature. Microsoft cannot block access to these configuration files in shadow copy backups. This means that malware or attackers that hijack Windows 10 systems could use the SeriousSAM vulnerability to take full control of versions of Windows released in the last 2.5 years.
This local privilege escalation vulnerability could allow attackers with low-level permissions to access Windows system files, expose the operating system installation password, and even decrypt private keys. An attacker who successfully exploited this vulnerability could obtain hashed passwords stored in the Security Account Manager (SAM) database and the Windows registry. In addition, the SeriousSAM vulnerability allows an attacker to execute arbitrary code with system privileges.
Prevention of SAM Bugs
- To help protect their computers from SeriousSAM bugs, we recommend that all Windows 10 and Windows 11 users learn how to test for and fix the Windows SeriousSAM Vulnerability.
- Allows all users except administrators to access the SAM file and registry. However, this method could put you at risk if an attacker can obtain administrator credentials.
- Removes all users from the built-in user group, but if an attacker steals administrator credentials, this will not prevent the attacker from reading the SAM and registry. This ensures that the hash is not stored in the SAM or registry.
Follow these guidelines if you want to fix the Windows SeriousSAM vulnerability (CVE-2021-36934) without downtime.
- Set up a test environment that mimics your production environment.
- Run all tests as often as possible until you are sure you are putting them into production.
- Check the impact of each solution on a test bench.
- Find out if any applications have dependencies that store hashes locally in the SAM database and remove the dependencies.
Make sure to implement the first three workarounds on a new production deployment. Considering all of it, a shadow copy is a backup of a file created by the Volume Shadow Copy Service (VSS) in Windows. VSS is a feature that is automatically enabled in Windows, if something goes wrong, such as installing a new application or patch, in that case, we can restore the previous copy. If your system drive is larger than 128 GB, it will be automatically enabled!
According to the security bulletin, your data may not be recoverable if you follow Microsoft’s workaround recommendations. Deleting these copies may affect the ability to restore data using backup applications”.
There is no universal vulnerability assessment system for CVE-2021-36934. To make matters worse, there are no patches available. Meanwhile, the notice recommends a two-step “workaround.” It includes restricting access and removing shadow copies to prevent exploits.