Microsoft shares a solution for the Windows 10 SeriousSAM vulnerability

Microsoft shares a solution for the new Windows 10 bug

Microsoft has shared a way out for a Windows 10-day vulnerability dubbed SeriousSAM that could let an attacker gain administrator rights on a vulnerable system and execute arbitrary code with SYSTEM privileges.

As reported by BleepingComputer, a local privileges bug (dubbed SeriusSAM) available in newly released versions of Windows allows users with low privileges to access sensitive Registry database files.

Affects the version of Windows 10 released since 2018

Lack of security, publicly exposed by security researchers Jonas Lykkegaard on Twitter and has not yet received an official patch, now tracked by Microsoft as CVE-2021-36934.

“Increased privilege vulnerabilities exist because Access Control Registers (ACLs) are too permissive on many system files, including the Security Account Manager (SAM) database,” Microsoft explained in a security advice published Tuesday night.

“An attacker can then install the program; view, modify, or delete data; or create a new account with full user rights. The attacker must have the ability to run code on the victim’s system to exploit this vulnerability.”

As Microsoft revealed, zero vulnerabilities today have affected Windows releases since October 2018, starting with Windows 10, version 1809.

Lykkegaard also found that Windows 11 (an OS that Microsoft has not yet officially launched) was also affected.

Solutions are now available

Databases vulnerable to user access by this bug (i.e., SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE) are stored under the C: Windows system32 config folder.

Creator of Mimikatz Benjamin Delpy tells BleepingComputer that anyone can easily exploit incorrect file permissions to steal an elevated account NTLM hash password and gain higher privileges through a pass-the-hash attack.

Although attackers cannot access the database directly due to an access violation triggered by a file that is always used by the OS, they can access it through a shadow volume copy.

Microsoft recommends restricting access to problematic folders DAN delete the Volume Shadow Copy Service (VSS) shadow copy to reduce this problem.

Users should be aware that deleting shadow copies from their systems can affect system and file recovery operations, such as restoring data using third -party backup applications.

Here are the steps needed to temporarily block the exploitation of this vulnerability:

Restrict access to content of% windir% system32 config:

  1. Open a Command Prompt or Windows PowerShell as an administrator.

  2. Run these commands: icacls %windir%system32config*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copy:

  1. Delete any existing System Restore points and Shadow volumes before restricting access to% windir% system32 config.

  2. Create a new System Restore point (if desired).

Microsoft is still investigating the vulnerability and is working on fixing a patch that will most likely be released as an out -of -band security update this week.

“We are investigating and will take appropriate action to help customers stay protected,” Microsoft told BleepingComputer

Source link

Leave a Comment