A privilege escalation bug, affecting versions of Windows 10, received a workaround fix by Microsoft Wed. to prevent attackers from accessing data & creating new accounts on compromised systems.
Security Accounts Manager (SAM)
The bug, dubbed Serious SAM, affects the Security Accounts Manager (SAM) database in all versions of Windows 10.
The SAM component in Windows houses user account credentials & network domain information – a juicy target for attackers. A prerequisite for abuse of the bug is an adversary needs either remote or local access to the vulnerable Windows 10 system.
Access Control Lists
Tracked as CVE-2021-36934, Microsoft stated the vulnerability exists because of overly permissive Access Control Lists on multiple system files, including the (SAM) database. “An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the Microsoft bulletin explains.
An attacker could use the bug to gain access to the SAM database of hashed credentials, which then could be decrypted offline & used to bypass Windows 10 user access controls.
Proof-of-Concept
The bug is rated important in severity by Microsoft. The flaw was revealed to Microsoft by researchers Jonas Lyk over the weekend & made public Monday. Proof-of-concept code was published by researcher Kevin Beaumont to help network admins identify exposure to the bug.
In a Tweet by Lyk, the researcher explained the bug also impacts pre-production versions of Windows 11 (slated to be released in Oct. 2021). “For some reason on win11 the SAM file now is READ for users. So, if you have shadow volumes enabled you can read the sam file,” he tweeted.
Windows 11
The researcher said the bug was discovered while tinkering with Windows 11. He explains that SAM database content, while not accessible on the OS, can be accessed when part of a Windows Shadow Volume Copy (VSS) backup. VSS is a service that allows automatic or manual real-time backups of system files (preserved in their current state) tied to a particular drive letter (volume).
He later identified the same issue is present on Windows 10 systems dating back to 2018 (v1809).
No Patch Available
For this reason, Microsoft is recommending sysadmin delete the backup copies of the VSS files. The OS maker does not offer a patch for the bug, rather a simple workaround.
Microsoft explains the 2-step process as: “Delete any System Restore points & Shadow volumes that existed prior to restricting access to %windir%\system32\config” & “create a new System Restore point (if desired).”
It also cautions that deleting VSS shadow copies “could impact restore operations, including the ability to restore data with 3rd-party backup applications.”