Attacker Value

Very High

CVE-2021-36934 Windows Elevation of Privilege

Attacker Value

Very High

(2 users assessed)

Exploitability

Very High

(2 users assessed)

User Interaction

CVE-2021-36934 Windows Elevation of Privilege

Disclosure Date: July 22, 2021 •

CVE-2021-36934 CVSS v3 Base Score: 7.8

Exploited in the Wild

Reported by gwillcox-r7
View Source Details

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Credential Access

Techniques

Validation

OS Credential Dumping

Validated

OS Credential Dumping: LSA Secrets

Validated

OS Credential Dumping: Cached Domain Credentials

Validated

Metasploit Module

post/windows/gather/credentials/windows_sam_hivenightmare

Common in enterprise Easy to weaponize Gives privileged access Vulnerable in default configuration Authenticated Requires user interaction

Description

Windows Elevation of Privilege Vulnerability

Add Assessment

Dviros (6)

July 25, 2021 9:35am UTC (2 years ago)•

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access Vulnerable in default configuration Authenticated Requires user interaction

Technical Analysis

Vulnerability is easy to exploit – by interacting with the local ShadowCopy volume, and copying it to a local folder, attackers can easily elevate their privileges.
Several exploits were already released, allowing to parse the hashes while copying the SAM\SECURITY\SYSTEM hives:
https://github.com/cube0x0/CVE-2021-36934
https://github.com/HuskyHacks/ShadowSteal

This vulnerability occurs due to the permissive “C:\Windows\System32\Config*.*” privileges, “BUILTIN\Users”, allowing any user to read and execute the files.

ccondon-r7 (201)

July 21, 2021 4:24pm UTC (2 years ago)•Edited 2 years ago

Ratings

Attacker Value

High

Exploitability

High

Common in enterprise Gives privileged access Authenticated

Technical Analysis

Zero-day LPE vulnerability affecting Windows 10 v1809 and later (so Win10 and Win11 preview), arises from SAM file’s being READ-enabled for all local users. SAM file has gold, e.g., hashed user/admin passwords. PoC to retrieve registry hives publicly available, no patch as of July 21, 2021. JonasLyk and research community reported and confirmed the issue on Twitter Monday, July 19. Guidance from Microsoft is to apply a couple of workarounds—defenders likely behind the attack curve already. Details: https://www.rapid7.com/blog/post/2021/07/21/microsoft-sam-file-readability-cve-2021-36934-what-you-need-to-know/

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.8 High

Impact Score:

5.9

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

microsoft

Products

windows 10 1809,
windows 10 1909,
windows 10 2004,
windows 10 20h2,
windows 10 21h1

Metasploit Modules

post/windows/gather/credentials/windows_sam_hivenightmare (https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_sam_hivenightmare.rb)

Exploited in the Wild

Reported by:

gwillcox-r7 indicated source as Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

Reported: February 11, 2022 12:58am UTC (1 year ago)

References

Canonical

CVE-2021-36934 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36934)

Miscellaneous

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-36934

http://packetstormsecurity.com/files/164006/HiveNightmare-AKA-SeriousSAM.html

Rapid7

Very High