Attacker Value
Very High
(2 users assessed)
Exploitability
Very High
(2 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
5

CVE-2021-36934 Windows Elevation of Privilege

Disclosure Date: July 22, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Credential Access
Techniques
Validation
Validated
Validated
Validated

Add Assessment

2
Ratings
Technical Analysis

Vulnerability is easy to exploit – by interacting with the local ShadowCopy volume, and copying it to a local folder, attackers can easily elevate their privileges.
Several exploits were already released, allowing to parse the hashes while copying the SAM\SECURITY\SYSTEM hives:
https://github.com/cube0x0/CVE-2021-36934
https://github.com/HuskyHacks/ShadowSteal

This vulnerability occurs due to the permissive “C:\Windows\System32\Config*.*” privileges, “BUILTIN\Users”, allowing any user to read and execute the files.

2
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Technical Analysis

Zero-day LPE vulnerability affecting Windows 10 v1809 and later (so Win10 and Win11 preview), arises from SAM file’s being READ-enabled for all local users. SAM file has gold, e.g., hashed user/admin passwords. PoC to retrieve registry hives publicly available, no patch as of July 21, 2021. JonasLyk and research community reported and confirmed the issue on Twitter Monday, July 19. Guidance from Microsoft is to apply a couple of workarounds—defenders likely behind the attack curve already. Details: https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/

General Information

Vendors

  • Microsoft

Products

  • Windows,
  • Windows Server,
  • Windows 10 Version 1909 for 32-bit Systems,
  • Windows 10 Version 1909 for x64-based Systems,
  • Windows 10 Version 1909 for ARM64-based Systems,
  • Windows 10 Version 21H1 for x64-based Systems,
  • Windows 10 Version 21H1 for ARM64-based Systems,
  • Windows 10 Version 21H1 for 32-bit Systems,
  • Windows 10 Version 2004 for 32-bit Systems,
  • Windows 10 Version 2004 for ARM64-based Systems,
  • Windows 10 Version 2004 for x64-based Systems,
  • Windows Server, version 2004 (Server Core installation),
  • Windows 10 Version 20H2 for x64-based Systems,
  • Windows 10 Version 20H2 for 32-bit Systems,
  • Windows 10 Version 20H2 for ARM64-based Systems,
  • Windows Server, version 20H2 (Server Core Installation)

Additional Info

Technical Analysis