CVE-2021-36934
Published: 22 July 2021
Summary
CVE-2021-36934 is a high-severity an unspecified weakness vulnerability in Microsoft Windows 10 1809. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2021-36934 is an elevation-of-privilege vulnerability in Windows caused by overly permissive Access Control Lists on multiple system files, including the Security Accounts Manager (SAM) database. Successful exploitation allows an attacker to run arbitrary code with SYSTEM-level privileges on the affected system.
An attacker must already be able to execute code on the victim machine. Once exploited, the attacker can install programs, view or modify data, delete files, and create new accounts with full administrative rights. The CVSS 3.1 base score is 7.8 with a local attack vector, low attack complexity, and low privileges required.
Microsoft’s advisory states that the security update alone does not fully remediate the issue; administrators must also manually delete all Volume Shadow Copies of the affected system files, including the SAM database, as described in KB5005357. Public exploit code released under the names HiveNightmare and SeriousSAM demonstrates the flaw using standard user privileges to read sensitive registry hives from shadow copies.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-23510
Vulnerability details
<p>An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An…
more
attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>An attacker must have the ability to execute code on a victim system to exploit this vulnerability.</p> <p>After installing this security update, you <em>must</em> manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. <strong>Simply installing this security update will not fully mitigate this vulnerability.</strong> See <a href="https://support.microsoft.com/topic/1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7">KB5005357- Delete Volume Shadow Copies</a>.</p>
- CWE(s)
- KEV Date Added
- 10 February 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces proper ACLs on system files such as the SAM database, preventing unauthorized local reads from shadow copies.
Requires least-privilege file permissions so standard users cannot access sensitive registry hives in Volume Shadow Copies.
Mandates secure configuration settings that include hardened ACLs and removal of vulnerable shadow copies after patching.