Microsoft has quickly issued a workaround for Windows 10 systems after the discovery of a serious vulnerability that could allow a successful attacker to increase their access to a compromised computer.
The problem is in Windows’ security account manager (SAM), which stores user accounts and security descriptors for users on a computer.
“An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database,” Microsoft said in an advisory.
“An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
According to a news story on Ars Technica, reading the SAM database makes it possible to extract cryptographically protected password data, discover the password used to install Windows, obtain the computer keys for the Windows data protection API—which can be used to decrypt private encryption keys—and create an account on the vulnerable machine. The result is that the local user can elevate their privileges all the way to System, the highest level in Windows.
However, the attacker must have the ability to execute code on a victim system to exploit this vulnerability. So far Microsoft has confirmed this issue affects Windows 10 version 1809 and newer versions of the operating systems.
Microsoft said in its advisory that it is continuing to investigate and will provide updates as they become available.
The issue was discovered by researcher Jonas Lykkegaard while working on a problem he found in the upcoming Windows 11. It was considered serious enough that the U.S. Computer Emergency Response Team (CERT) issued a vulnerability notice.
The issue has been given a vulnerability number CVE-2021-36934.
The workaround involves removing existing Windows volume shadow copies and correcting the errant permissions:
Restrict access to the contents of %windir%\system32\config
- Open Command Prompt or Windows PowerShell as an administrator.
- Run this command:
icacls %windir%\system32\config\*.* /inheritance:e
Delete Volume Shadow Copy Service (VSS) shadow copies
- Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
- Create a new System Restore point (if desired).
Deleting shadow copies could impact the ability to restore operations, Microsoft warns, including the ability to restore data with third-party backup applications.
It also warns administrators to both restrict access and delete shadow copies to prevent exploitation of this vulnerability.