Microsoft issues workaround for new Win10 privilege escalation problem

Microsoft has quickly issued a workaround for Windows 10 systems after the discovery of a serious vulnerability that could allow a successful attacker to increase their access to a compromised computer.

The problem is in Windows’ security account manager (SAM), which stores user accounts and security descriptors for users on a computer.

“An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database,” Microsoft said in an advisory.

“An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

According to a news story on Ars Technica, reading the SAM database makes it possible to extract cryptographically protected password data, discover the password used to install Windows, obtain the computer keys for the Windows data protection API—which can be used to decrypt private encryption keys—and create an account on the vulnerable machine. The result is that the local user can elevate their privileges all the way to System, the highest level in Windows.

However, the attacker must have the ability to execute code on a victim system to exploit this vulnerability. So far Microsoft has confirmed this issue affects Windows 10 version 1809 and newer versions of the operating systems.

Microsoft said in its advisory that it is continuing to investigate and will provide updates as they become available.

The issue was discovered by researcher Jonas Lykkegaard while working on a problem he found in the upcoming Windows 11. It was considered serious enough that the U.S. Computer Emergency Response Team (CERT) issued a vulnerability notice.

The issue has been given a vulnerability number CVE-2021-36934.

Workaround

The workaround involves removing existing Windows volume shadow copies and correcting the errant permissions:

Restrict access to the contents of %windir%\system32\config

  1. Open Command Prompt or Windows PowerShell as an administrator.
  2. Run this command: icacls %windir%\system32\config\*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies

  1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
  2. Create a new System Restore point (if desired).

Deleting shadow copies could impact the ability to restore operations, Microsoft warns, including the ability to restore data with third-party backup applications.

It also warns administrators to both restrict access and delete shadow copies to prevent exploitation of this vulnerability.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now