{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/506989#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nMultiple versions of Windows 10 grant non-administrative users read access to files in the `%windir%\\system32\\config` directory. This can allow for local privilege escalation (LPE).\r\n\r\n### Description\r\n\r\nWith multiple versions of Windows 10, the `BUILTIN\\Users` group is given `RX` permissions to files in the `%windir%\\system32\\config` directory.\r\n\r\nIf a VSS shadow copy of the system drive is available, a non-privileged user may leverage access to these files to achieve a number of impacts, including but not limited to:\r\n\r\n* Extract and leverage account password hashes.\r\n* Discover the original Windows installation password.\r\n* Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.\r\n* Obtain a computer machine account, which can be used in a [silver ticket attack](https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/).\r\n\r\nNote that VSS shadow copies may not be available in some configurations, however simply having a system drive that is larger that 128GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be [automatically created](https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/system-restore-points-disabled#more-information). To check if a system has VSS shadow copies available, run the following command from a privileged command prompt:\r\n\r\n`vssadmin list shadows`\r\n\r\nA system with VSS shadow copies will report details of at least one shadow copy that specifies `Original Volume: (C:)`, such as the following:\r\n\r\n```\r\nvssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool\r\n(C) Copyright 2001-2013 Microsoft Corp.\r\n\r\nContents of shadow copy set ID: {d9e0503a-bafa-4255-bfc5-b781cb27737e}\r\n   Contained 1 shadow copies at creation time: 7/19/2021 10:29:49 PM\r\n      Shadow Copy ID: {b7f4115b-4242-4e13-84c0-869524965718}\r\n         Original Volume: (C:)\\\\?\\Volume{4c1bc45e-359f-4517-88e4-e985330f72e9}\\\r\n         Shadow Copy Volume: \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\r\n         Originating Machine: DESKTOP-PAPIHMA\r\n         Service Machine: DESKTOP-PAPIHMA\r\n         Provider: 'Microsoft Software Shadow Copy provider 1.0'\r\n         Type: ClientAccessibleWriters\r\n         Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered\r\n```\r\n\r\nA system **without** VSS shadow copies will produce output like the following:\r\n\r\n```\r\nvssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool\r\n(C) Copyright 2001-2013 Microsoft Corp.\r\n\r\nNo items found that satisfy the query.\r\n```\r\n\r\nTo check if a system is vulnerable, the following command can be used from a non-privileged command prompt:\r\n`icacls %windir%\\system32\\config\\sam`\r\n\r\nA vulnerable system will report `BUILTIN\\Users:(I)(RX)` in the output like this:\r\n```\r\n\r\nC:\\Windows\\system32\\config\\sam BUILTIN\\Administrators:(I)(F)\r\n                               NT AUTHORITY\\SYSTEM:(I)(F)\r\n                               BUILTIN\\Users:(I)(RX)\r\n                               APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\r\n                               APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)\r\n\r\nSuccessfully processed 1 files; Failed processing 0 files\r\n```\r\n\r\nA system that is not vulnerable will report output like this:\r\n\r\n```\r\nC:\\Windows\\system32\\config\\sam: Access is denied.\r\nSuccessfully processed 0 files; Failed processing 1 files\r\n```\r\n\r\nThis vulnerability has been publicly referred to as both HiveNightmare and SeriousSAM, while Microsoft has assigned CVE-2021-36934 to the vulnerability.\r\n\r\n### Impact\r\nBy accessing files in the Windows `%windir%\\system32\\config` directory on a vulnerable system with at least one VSS shadow copy of the system drive, a local authenticated attacker may be able to achieve LPE, masquerade as other users, or achieve other security-related impacts.\r\n\r\n### Solution\r\nPlease see the [Microsoft bulletin for CVE-2021-36934](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934), which contains a workaround. Specifically:\r\n\r\n#### Restrict access to %windir%\\system32\\config and remove VSS shadow copies\r\n\r\nVulnerable systems can enable ACL inheritance for files in the `%windir%\\system32\\config` directory by running the following command from an elevated prompt:\r\n\r\n```\r\nicacls %windir%\\system32\\config\\*.* /inheritance:e\r\n```\r\n\r\nOnce the ACLs have been corrected for these files, any VSS shadow copies of the system drive must be deleted to protect a system against exploitation. This can be accomplished with the following command:\r\n\r\n```\r\nvssadmin delete shadows /for=%systemdrive% /Quiet\r\n```\r\n\r\nConfirm that VSS shadow copies were deleted by running `vssadmin list shadows` again. Note that any capabilities relying on existing shadow copies, such as System Restore, will not function as expected. Newly-created shadow copies, which will contain the proper ACLs, will function as expected. Please see [KB5005357](https://support.microsoft.com/en-us/topic/kb5005357-delete-volume-shadow-copies-1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7) for more details.\r\n\r\n### Acknowledgements\r\nThis vulnerability was publicly disclosed by Jonas Lyk, with additional details provided by Benjamin Delpy.\r\n\r\nThis document was written by Will Dormann.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/506989"},{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934","summary":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934"},{"url":"https://support.microsoft.com/en-us/topic/kb5005357-delete-volume-shadow-copies-1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7","summary":"https://support.microsoft.com/en-us/topic/kb5005357-delete-volume-shadow-copies-1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7"},{"url":"https://twitter.com/jonasLyk/status/1417205166172950531","summary":"https://twitter.com/jonasLyk/status/1417205166172950531"},{"url":"https://twitter.com/gentilkiwi/status/1417467063883476992","summary":"https://twitter.com/gentilkiwi/status/1417467063883476992"},{"url":"https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/","summary":"https://www.sans.org/blog/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-and-more/"},{"url":"https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/system-restore-points-disabled#more-information","summary":"https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/system-restore-points-disabled#more-information"},{"url":"https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5","summary":"https://doublepulsar.com/hivenightmare-aka-serioussam-anybody-can-read-the-registry-in-windows-10-7a871c465fa5"},{"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934","summary":"Reference(s) from vendor \"Microsoft\""}],"title":"Microsoft Windows 10 gives unprivileged user access to system32\\config files","tracking":{"current_release_date":"2021-07-29T16:29:54+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#506989","initial_release_date":"2021-07-20 16:48:31.185957+00:00","revision_history":[{"date":"2021-07-29T16:29:54+00:00","number":"1.20210729162954.11","summary":"Released on 2021-07-29T16:29:54+00:00"}],"status":"final","version":"1.20210729162954.11"}},"vulnerabilities":[{"title":"Microsoft Windows 10 allows non-admin users to read the SAM, SYSTEM, and SECURITY files.","notes":[{"category":"summary","text":"Microsoft Windows 10 allows non-admin users to read the SAM, SYSTEM, and SECURITY files."}],"cve":"CVE-2021-36934","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#506989"}],"product_status":{"known_affected":["CSAFPID-1ec2b9bc-3a71-11f1-a172-0afffb3ee71d"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Microsoft","product":{"name":"Microsoft Products","product_id":"CSAFPID-1ec2b9bc-3a71-11f1-a172-0afffb3ee71d"}}]}}