Microsoft has shared a way out for a Windows 10-day vulnerability dubbed SeriousSAM that could let an attacker gain administrator rights on a vulnerable system and execute arbitrary code with SYSTEM privileges.
As reported by BleepingComputer, a local privileges bug (dubbed SeriusSAM) available in newly released versions of Windows allows users with low privileges to access sensitive Registry database files.
Affects the version of Windows 10 released since 2018
Lack of security, publicly exposed by security researchers Jonas Lykkegaard on Twitter and has not yet received an official patch, now tracked by Microsoft as CVE-2021-36934.
“Increased privilege vulnerabilities exist because Access Control Registers (ACLs) are too permissive on many system files, including the Security Account Manager (SAM) database,” Microsoft explained in a security advice published Tuesday night.
“An attacker can then install the program; view, modify, or delete data; or create a new account with full user rights. The attacker must have the ability to run code on the victim’s system to exploit this vulnerability.”
As Microsoft revealed, zero vulnerabilities today have affected Windows releases since October 2018, starting with Windows 10, version 1809.
Lykkegaard also found that Windows 11 (an OS that Microsoft has not yet officially launched) was also affected.
Solutions are now available
Databases vulnerable to user access by this bug (i.e., SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE) are stored under the C: Windows system32 config folder.
Creator of Mimikatz Benjamin Delpy tells BleepingComputer that anyone can easily exploit incorrect file permissions to steal an elevated account NTLM hash password and gain higher privileges through a pass-the-hash attack.
Although attackers cannot access the database directly due to an access violation triggered by a file that is always used by the OS, they can access it through a shadow volume copy.
Microsoft recommends restricting access to problematic folders DAN delete the Volume Shadow Copy Service (VSS) shadow copy to reduce this problem.
Users should be aware that deleting shadow copies from their systems can affect system and file recovery operations, such as restoring data using third -party backup applications.
Here are the steps needed to temporarily block the exploitation of this vulnerability:
Microsoft is still investigating the vulnerability and is working on fixing a patch that will most likely be released as an out -of -band security update this week.
“We are investigating and will take appropriate action to help customers stay protected,” Microsoft told BleepingComputer