Microsoft has confirmed that an easily exploitable, unpatched cyber vulnerability has been identified within Windows that may allow local non-admin users to elevate privileges to an admin-level user (local privilege escalation). This vulnerability reportedly impacts Windows 10 build 1809 and up. If VSS shadow copies are available due to the overly broad access, a non-privileged user may be able to impact the system including, but not limited to, obtaining credentials and DPAPI computer keys.
Windows Elevation of Privilege Vulnerability: CVE-2021-36934
“An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability,” Microsoft disclosed.
Microsoft has designated a CVE number and continues to investigate which versions of Windows are affected.
To check if your system is impacted, run the following commands as a non-admin user:
- icacls %windir%\system32\config\sam
- icacls $env:windir\system32\config\sam
An output of BUILTIN\Users:(I)(RX) indicates the machine may be vulnerable. This indicates that non-elevated users have read-execute permissions to the Security Account Manager (SAM) registry hive. If there are currently shadow copies on the system, the non-admin user may escalate privileges and access credentials and perform other privileged operations.
Next check if there are existing shadow copies. This can be achieved through either Vssadmin.exe or via PowerShell.exe. Both methods are listed below:
- vssadmin list shadows
- Get-WmiObject Win32_ShadowStorage -Property Volume
Until a fix is released, Microsoft has advised administrators to employ two workarounds for risk mitigation:
1. Restrict access to the contents of %windir%\system32\config
Open Command Prompt or Windows PowerShell as an administrator and run this command:
- icacls %windir%\system32\config\*.* /inheritance:e
2. Delete Volume Shadow Copy Service (VSS) shadow copies*
Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config
Optional: Create a new System Restore point (if desired)
Administrators can create new shadow copies in a few ways. A simple method is via command line as follows:
- wmic shadowcopy call create Volume='C:\'
Automox published a Worklet that will automatically identify if a Windows machine is vulnerable and push the suggested fix accordingly.
*Note regarding impact of workaround: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. Please check with your IT/Security policies prior to implementing this workaround.
Automox for Easy IT Operations
Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.