Coming Soon...

Q-CERT website is currently under maintenance. We should be back shortly. Thank you for yor patience.

Windows Vulnerability "SeriousSAM" Exploited in the Wild

Issued: 
Monday, 26 July, 2021
Last Revision: 
Monday, 26 July, 2021
Vendor: 
Microsoft
Product: 
Windows
Severity Level: 
High
Summary: 

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Account Manager (SAM) database.

 

An attacker could exploit this vulnerability (CVE-2021-36934) to gain elevated privileges. An attacker with low level privileges would need to take advantage of the incorrect permissions set on the SYSTEM and SAM hives.

 

To read and copy files from the hives an attacker would need to use Volume Shadow Copy (VSS) to extract NTLM hashed passwords. The attacker could use these hashes in further attacks, such as a pass-the-hash or Silver Ticket attack.

 

Proof-of-concept code (PoC) is publicly available. This vulnerability is being referred to as 'HiveNightmare' and 'SeriousSAM.'

Organizations are encouraged to check the Product(s) used in their environment and apply the workaround as soon as possible.

 

Affected Product(s)
 
Windows 10 Version 20H2 for ARM64based Systems 
Windows 10 Version 20H2 for 32bit Systems
Windows 10 Version 20H2 for x64based Systems
Windows Server, version 2004 (Server Core installation)
Windows 10 Version 2004 for x64based Systems
Windows 10 Version 2004 for ARM64based Systems
Windows 10 Version 2004 for 32bit Systems
Windows 10 Version 21H1 for 32bit Systems
Windows 10 Version 21H1 for ARM64based Systems
Windows 10 Version 21H1 for x64based Systems
Windows 10 Version 1909 for ARM64based Systems
Windows 10 Version 1909 for x64based Systems
Windows 10 Version 1909 for 32bit Systems
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64based Systems
Windows 10 Version 1809 for x64based Systems
Windows 10 Version 1809 for 32bit Systems
Recommendation: 
Workarounds (vendor solution)
 
Restrict access to the contents of %windir%\system32\config
Command Prompt (Run as administrator): icacls %windir%\system32\config\*.*
/inheritance:e
Windows PowerShell (Run as administrator): icacls
$env:windir\system32\config\*.* /inheritance:e
 
Delete Volume Shadow Copy Service (VSS) shadow copies *** READ NOTES ***
1. Delete any System Restore points and Shadow volumes that existed prior to restricting 
access to %windir%\system32\config.
2. Create a new System Restore point (if desired).
 
 
NOTES:
Impact of workaround Deleting shadow copies could impact restore operations, including the 
ability to restore data with third-party backup applications. For more information on how to 
delete shadow copies, see KB5005357- Delete Volume Shadow Copies
Note You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.
References: 
Windows Elevation of Privilege Vulnerability CVE-2021-36934
Serious Sam – CVE-2021-36934