Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
8

CVE-2021-36934 Windows Elevation of Privilege

Disclosure Date: July 22, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Credential Access
Techniques
Validation
Validated
Validated
Validated

Description

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

After installing this security update, you must manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. Simply installing this security update will not fully mitigate this vulnerability. See KB5005357- Delete Volume Shadow Copies.

Add Assessment

2
Ratings
Technical Analysis

Vulnerability is easy to exploit – by interacting with the local ShadowCopy volume, and copying it to a local folder, attackers can easily elevate their privileges.
Several exploits were already released, allowing to parse the hashes while copying the SAM\SECURITY\SYSTEM hives:
https://github.com/cube0x0/CVE-2021-36934
https://github.com/HuskyHacks/ShadowSteal

This vulnerability occurs due to the permissive “C:\Windows\System32\Config*.*” privileges, “BUILTIN\Users”, allowing any user to read and execute the files.

2
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

Zero-day LPE vulnerability affecting Windows 10 v1809 and later (so Win10 and Win11 preview), arises from SAM file’s being READ-enabled for all local users. SAM file has gold, e.g., hashed user/admin passwords. PoC to retrieve registry hives publicly available, no patch as of July 21, 2021. JonasLyk and research community reported and confirmed the issue on Twitter Monday, July 19. Guidance from Microsoft is to apply a couple of workarounds—defenders likely behind the attack curve already. Details: https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Vendors

  • microsoft

Products

  • windows 10 1809,
  • windows 10 1909,
  • windows 10 2004,
  • windows 10 20h2,
  • windows 10 21h1

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis