Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
8

CVE-2021-36934 Windows Elevation of Privilege

Disclosure Date: July 22, 2021
CVE-2021-36934 CVSS v3 Base Score: 7.8
Exploited in the Wild
Reported by gwillcox-r7 and 1 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Credential Access
Techniques
Validation
Validated
Validated
Validated

Description

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

After installing this security update, you must manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. Simply installing this security update will not fully mitigate this vulnerability. See KB5005357- Delete Volume Shadow Copies.

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Easy to weaponizeGives privileged accessVulnerable in default configurationAuthenticatedRequires user interaction
Technical Analysis

Vulnerability is easy to exploit – by interacting with the local ShadowCopy volume, and copying it to a local folder, attackers can easily elevate their privileges.
Several exploits were already released, allowing to parse the hashes while copying the SAM\SECURITY\SYSTEM hives:
https://github.com/cube0x0/CVE-2021-36934
https://github.com/HuskyHacks/ShadowSteal

This vulnerability occurs due to the permissive “C:\Windows\System32\Config*.*” privileges, “BUILTIN\Users”, allowing any user to read and execute the files.

Log in to Add Reply
2
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Common in enterpriseGives privileged accessAuthenticated
Technical Analysis

Zero-day LPE vulnerability affecting Windows 10 v1809 and later (so Win10 and Win11 preview), arises from SAM file’s being READ-enabled for all local users. SAM file has gold, e.g., hashed user/admin passwords. PoC to retrieve registry hives publicly available, no patch as of July 21, 2021. JonasLyk and research community reported and confirmed the issue on Twitter Monday, July 19. Guidance from Microsoft is to apply a couple of workarounds—defenders likely behind the attack curve already. Details: https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Windows 10 Version 1809 10.0.17763.2114
Windows 10 Version 1909 10.0.18363.1734
Windows 10 Version 21H1 10.0.19043.1165
Windows 10 Version 2004 10.0.19041.1165
Windows 10 Version 20H2 10.0.19042.1165
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • windows 10 1809,
  • windows 10 1909,
  • windows 10 2004,
  • windows 10 20h2,
  • windows 10 21h1

Exploited in the Wild

Reported by:

Additional Info

Authenticated
Always
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis