Windows Elevation of Privilege Vulnerability (CVE-2021-36934)

Recently a vulnerability on Windows systems was found.  An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.  Microsoft has released https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 to track the information.

 

  • Basically, the root cause is excessive access rights.  (in Microsoft word: “overly permissive Access Control Lists (ACLs) on multiple system files”)
  • For the time being, neither Kaspersky nor Firewall (such as Palo Alto) could detect nor prevent it.
  • There is no patch for it right now and the basic workaround is to remove these excessive access rights.  This needs to be done on each affected PCs/Servers.

 

Affected OS

  • Windows 10 1809, 1909,  2004, 20H2,  21H1
    • Please note that Windows 10 1809 is already End-of-Support.  They should be upgraded to a current supported version by now.
  • Windows Server 2019, v2004 ,v20H2
    • Please note that Windows Server v2004 and v20H2 are under Semi-Annual Channel.  Most servers use Windows Server 2019, which is under Long Term Servicing Channel (LTSC)

 

Recommendations

  • For users still using Windows 10 1809, please upgrade to 20H2 or 21H1 first.
  • For all affected systems, please follows the “Workarounds” in https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934.  Basically, you should:
    • Restrict access to the contents of %windir%\system32\config
      • Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e
      • Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e
  • You should also consider to “Delete Volume Shadow Copy Service (VSS) shadow copies” as described in the document.  Please note that:
    • If you are using Backup Software that use VSS, you should use that Backup Software to manage their VSS backup copies
    • If you don’t want to or cannot delete all VSS shadow copies on all drives – especially on Share Drive, please consider to delete VSS shadow copies on the boot up disk (usually C:)
    • For details on how to delete VSS shadow copies, please refer to https://support.microsoft.com/topic/1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7

 

Reference

 

Enquiry

 

 

 

Published on: 26 Jul 2021