In this week's blog post, Compass IT Compliance Cybersecurity Professional Danielle Corsa analyzes several recent Microsoft vulnerabilities.
CVE-2021-36934 - SeriousSAM Vulnerability
On July 20th, 2021, Microsoft disclosed vulnerability CVE-2021-36934, named SeriousSAM or HiveNightmare.
Title: Microsoft Windows Elevation of Privilege Vulnerability (CVE-2021-36934)(Zero-day)(HiveNightmare/SeriousSAM)
Severity Level:
Vulnerability Type: Potential Vulnerability
Discovery Method: Authenticated Only
Authentication: Windows
As mentioned in the Microsoft publication, “An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability.” The privilege escalation allows users with low-level privileges (non-admins) to access the C:\Windows\System32\Config directory that stores the SAM, SYSTEM and SECURITY critical files. These files contain system secrets, local users, computer-hashed passwords, and additional sensitive credential information. Accessing these files gives threat actors with low-level privileges the ability to potentially carry out a local privilege escalation attack.
The vulnerability affects versions of Windows 10 released after 2018, as well as Windows 11 due to overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database which is particularly vulnerable.
Workarounds
Impact of Workaround
Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. For more information on how to delete shadow copies, see KB5005357- Delete Volume Shadow Copies.
Note: You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.
Windows Print Spooler Elevation of Privilege Vulnerability CVE-2021-34481
QID 91786 Microsoft Windows Print Spooler Point and Print Insecure Configuration Detected (PrintNightmare) CVSS Base Score 9.0.
Title: Microsoft Windows Print Spooler Point and Print Insecure Configuration Detected (PrintNightmare)
Severity Level:
Vulnerability Type: Confirmed Vulnerability
Discovery Method: Authenticated Only
Authentication: Windows
Threat
The Print Spooler is software built into the Windows operating system that temporarily stores print jobs in the computer's memory until the printer is ready to print them. On 07/06/2021, Microsoft released updates to fix CVE-2021-34527 (PrintNightmare). Microsoft has confirmed in the description of CVE-2021-34527 that having 'Point and Print Restrictions' enabled, and the "When installing drivers for a new connection" setting configured to "Do not show warning on elevation prompt" will leave systems vulnerable by design.
QID Detection Logic (authenticated): The QID check if Printer Spooler Service and if 'Point and Print Restrictions' is enabled, and the "When installing drivers for a new connection" setting is configured to "Do not show warning on elevation prompt" via registry key HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint value NoWarningNoElevationOnInstall is set to 1.
Impact
Successful exploitation allows an attacker to execute arbitrary code with SYSTEM privileges.
Solution
Currently, there is no patch available for this vulnerability.
Workarounds
Determine if the Print Spooler service is running.
Run the following: Get-Service -Name Spooler
If the Print Spooler is running or if the service is not set to disabled, select one of the following options to either disable the Print Spooler service, or to Disable inbound remote printing through Group Policy:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
NoWarningNoElevationOnUpdate = 0 (DWORD) or not defined (default setting)
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
Impact of workaround
Disabling the Print Spooler service disables the ability to print both locally and remotely.
Now would be a good time to run a vulnerability scan to see if these vulnerabilities exist in your environment, or implement a continuous scan monitoring tool to receive alerts such as this. In addition to the workaround suggestions, automated detection and prevention tools can also be utilized, by executing PowerShell commands via the user interface. Contact us today to learn more about these vulnerabilities and the steps you can take to protect your systems!