Last weekend, the well-known cybersecurity researcher Jonas Lykkegaard reported a rather serious vulnerability in Windows 10.
All versions of Windows 10 released in the last 2.5 years (as well as Windows 11) are vulnerable to an issue dubbed SeriousSAM and HiveNightmare. Thanks to this bug, an attacker can elevate his privileges and gain access to passwords from user accounts.
The vulnerability relates to how Windows 10 controls access to files such as SAM, SECURITY, and SYSTEM:
- C:\Windows\System32\config\sam
- C:\Windows\System32\config\security
- C:\Windows\System32\config\system
Let me remind you that these files store information such as hashed passwords for all Windows user accounts, security-related settings, encryption key data, and other important information about the OS kernel configuration. If a potential attacker can read the files, the information obtained will help him to gain access to user passwords and critical system settings.
Normally, only a Windows administrator can interact with these files. However, while testing Windows 11, the expert noticed that although the OS restricts access to these files for low-level users, the available copies of the files are saved in shadow copies. Moreover, as it turned out, this problem appeared in the Windows 10 code back in 2018, after the release of version 1809.
Gaining access to the Security Account Manager (SAM) configuration file is always a huge challenge as it can steal hashed passwords, crack those hashes, and hijack accounts. Even worse, SYSTEM and SECURITY can also contain similar other, equally dangerous data, including DPAPI encryption keys and Machine Account details (used to join computers to Active Directory). Below you can see a demonstration of such an attack, recorded by the creator of Mimikatz, Benjamin Delpy.
Microsoft has already acknowledged the problem and assigned it an ID CVE-2021-36934.
So far, Microsoft is only investigating the issue and is working on a patch that will most likely be released as an emergency security update later this week. So far, the company only recommends restricting access to the problem folder, as well as deleting shadow copies.
It is worth noting that well-known information security expert Kevin Beaumont has already published a PoC exploit for SeriousSAM so that admins can check which of their systems are vulnerable to attacks.
Let me remind you that I also reported that Windows 10 bug causes BSOD when opening a specific path.