External risk intelligence

Windows SAM Privilege Escalation Vulnerability.

CVE advisoryKnown Exploit

CVE-2021-36934

A vulnerability in Windows allows attackers with code execution to gain SYSTEM privileges, enabling them to install programs, alter data, or create new accounts. This presents a risk of unauthorized access and data compromise for affected organizations. Organizations should apply vendor updates and delete shadow copies

1Halo Surface Signal

Microsoft Windows 10 1809

before 10.0.17763.2114before 10.0.18363.1734before 10.0.19041.1165before 10.0.19042.1165before 10.0.19043.1165

External exposure likelihood

Halo Surface Signal score for CVE-2021-36934

This vulnerability involves permissive access control lists on local system files, such as the Security Accounts Manager database. Exploitation requires prior local code execution on the system, making it inherently local rather than internet-facing or reachable via network services.

Horizon Alert

Summary of the vulnerability and why it matters

Certain versions of Microsoft Windows are vulnerable due to overly permissive access controls on critical system files. This flaw allows an attacker with existing code execution capabilities on a system to escalate their privileges to the highest level. The potential impact includes unauthorized installation of programs, modification or deletion of data, and the creation of new user accounts with full administrative rights, significantly compromising system integrity and data confidentiality.

Vulnerable Microsoft Windows system files
Overly permissive access controls
Elevation of privilege to SYSTEM
Unauthorized data access or modification
Creation of new user accounts

Attack Path

How an attacker could exploit the issue

An elevation of privilege vulnerability exists due to overly permissive access control lists on critical system files. Attackers can exploit this by executing code on a victim system, which then allows them to run arbitrary code with SYSTEM privileges. This control can be used to install programs, alter or delete data, or create new accounts with full user rights.

Exposure requires local code execution.
Attacker gains SYSTEM privileges.
Attacker can install or delete data.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an attacker with existing access to a system to escalate their privileges to the highest level, known as SYSTEM. Such an attacker could then install software, modify or delete data, and create new user accounts with full administrative rights. This could lead to significant business disruption and data compromise. The exploitation of this vulnerability requires the attacker to first execute code on the affected system.

Attacker skill level: Moderate
Required access: Local code execution
Business risk or urgency: High, requires mitigation

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows an attacker with code execution on a system to elevate their privileges to the highest level. Successfully exploiting this could enable an attacker to install programs, access or modify data, and create new accounts. Immediate action is required to mitigate the associated business risk.

Identify systems with affected Windows versions.
Implement vendor-provided updates and delete shadow copies.
Verify successful patching and monitor for related activity.

Frequently asked questions

What is CVE-2021-36934, a vulnerability in Microsoft Windows?

CVE-2021-36934, also known as HiveNightmare or SeriousSAM, is an elevation of privilege vulnerability in Microsoft Windows. It exists due to overly permissive Access Control Lists (ACLs) on critical system files, including the Security Accounts Manager (SAM) database [1, 7]. Successful exploitation allows an attacker with code execution on a victim system to gain SYSTEM privileges [1, 10]. This enables them to install programs, view, change, or delete data, and create new accounts with full user rights [1, 10].

What type of weakness does CVE-2021-36934 represent?

This vulnerability is classified as an Access Control weakness. The root cause is improper Access Control List (ACL) configuration on system registry hives, where the BUILTIN\Users group was inadvertently granted read permissions on critical files like SAM, SYSTEM, and SECURITY [1]. This misconfiguration allows low-privileged users to read sensitive system files that should be protected [1, 7].

How can CVE-2021-36934 be triggered and what is its scope?

Exploitation requires an attacker to first gain the ability to execute code on the victim system [1, 7, 10]. The vulnerability is triggered by leveraging permissive ACLs on system files, particularly when Volume Shadow Copies (VSS) are available, as these copies preserve the permissive ACLs [1, 2]. The scope is limited to local privilege escalation, as it requires an attacker to already have a foothold on the system [1, 7].

What is the relevance of CVE-2021-36934, and why is it important for organizations?

CVE-2021-36934 is highly relevant as it allows for privilege escalation to SYSTEM level, posing a significant security risk. Attackers can extract password hashes and other sensitive security information, which can be used for further attacks like pass-the-hash, potentially leading to remote code execution as SYSTEM [1, 2, 8]. The CISA has confirmed active exploitation in the wild [1].

What practical steps should be taken to respond to CVE-2021-36934?

To mitigate CVE-2021-36934, organizations must first apply Microsoft security updates. Crucially, simply installing the patch is insufficient; administrators must also manually delete all existing Volume Shadow Copies [1, 8]. Additionally, restricting access to the %windir%\system32\config directory using `icacls` commands is recommended [2, 3, 11]. After remediation, it is advised to re-enable System Protection and create a new restore point [1].

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.