Windows 10 more vulnerable – revisited

I asked the other day if Windows 10 was more vulnerable. Turns out we have another problem with Windows 10 – and Windows 11 for that matter.

CVE-2021-36934 has been released to track an issue that a researcher has stumbled on … and it’s honestly been around for a while. Starting with Windows 10 1809 and later, the default permissions on the “Security accounts manager database” (also known as SAM database)  aren’t set right and if you are a non administrator user where you shouldn’t have the ability to access that file, in Windows 10 1809 and later you DO have rights to that file.

While on consumer and home computers this isn’t a huge issue, in businesses where keeping ransomware at bay is near impossible these days, it’s not a good thing at all.

Bleeping computer explains the situation…. “With these low file permissions, a threat actor with limited privileges on a device can extract the NTLM hashed passwords for all accounts on a device and use those hashes in pass-the-hash attacks to gain elevated privileges.”

The SANS site tells how specifically this vulnerability takes place….“The only issue here is how do we read those files: when Windows are running, the access to the files is locked and even though we have read permission, we won’t be able to read them.  As two great researchers found (@jonasLyk and @gentilkiwi), we can actually abuse Volume Shadow Copy to read the files. VSS will allow us to bypass the file being locked, and since we have legitimate read access, there’s nothing preventing us from reading the file. VSS is a feature that is enabled automatically on Windows and that allows us to restore previous copies in case something got messed up during installation of a new application or patch, for example. If your system disk is greater than 128 GB, it will be enabled automatically!”

Action items to take as a consumer:  Nothing.  The potential mitigation “apart from disabling/removing VSS copies. Keep in mind that the permission on the hives will still be wrong, but at least a non-privileged user will not be able to easily fetch these files due to them being locked by Windows as the system is running.” to me is not viable and puts your system at risk for not being able to use previous versions tab, backups and other goodness. I’d rather not change any permissions because given that this has been in place since 1809, software may be expecting these permissions. I’ll let you know when a patch or fix comes out, or a mitigation that I consider safe.

Actions to take as an IT Pro or MSP: Also nothing at this time. Again, I consider VSS copies too important to disable.

Bottom line, stay tuned.

Edit 7/23/2021 For IT Pros and MSPs, I’d recommend that you inventory your servers and clients to see if they are impacted.  See VU#506989 – Microsoft Windows gives unprivileged user access to system32\config files (cert.org)