H-ISAC TLP White Vulnerability: New Windows 10 Elevation of Privilege Vulnerability Discovered July 22, 2021

A new Windows 10 and 11 local elevation of privilege vulnerability has been discovered that enables users with low privileges to access sensitive Registry database files.

An attacker who successfully exploited this vulnerability, designated CVE-2021-36934, could run arbitrary code with full SYSTEM privileges. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. The attacker must have already gained the ability to execute code on the target system in order to exploit the flaw.

Microsoft has released workarounds and additional mitigations strategies to mitigate this new vulnerability, which can be accessed in this alert.

The Windows Registry acts as the configuration repository for the Windows operating system and contains hashed passwords, user customizations, configuration options for applications, system decryption keys, and more. The database files associated with the Windows Registry are stored under the C[:]\Windows\system32\config folder and are broken up into different files.

As these files contain sensitive information about all user accounts on a device and security tokens used by Windows features, they should be restricted from being viewed by regular users with no elevated privileges. This is also true for the Security Account Manager (SAM) file, as it contains hashed passwords for all users on a system, which a threat actor can use to assume their identity.

Security researchers discovered that the Windows 10 and Windows 11 Registry files associated with the Security Account Manager (SAM), and all other Registry databases, are currently accessible to the Users group that has low privileges on a device. These low permissions were confirmed by researchers on a fully patched Windows 10 20H2 device. With these low file permissions, along with shadow volume copies of the files, a threat actor with limited privileges on a device can extract the NTLM hashed passwords for all accounts on a device and use those hashes in pass-the-hash attacks to gain elevated privileges.