New vulnerability CVE-2021-36934 and how to avoid/fix it?

  cve, quickfix, security, updates, windows

Windows contains important files with hashed passwords for all OS accounts, encryption key data, and other important information. All this is stored in SAM, SECURITY and SYSTEM:

  • C:WindowsSystem32configsam

  • C:WindowsSystem32configsecurity

  • C:WindowsSystem32configsystem

The essence of the vulnerability is that if you perform a shadow copy of these files in any way, you will be able to read them immediately with standard user rights. This feature applies to some versions of Windows 10 and 11. In a standard situation, after performing a shadow copy, you cannot read the specified files with user rights.

Why is the vulnerability called "Windows Elevation of Privilege Vulnerability"?

You will be able to elevate privileges after obtaining the desired password hash.

It is believed that if this usually requires administrator rights and in the same situation a regular user can do the same, then this is elevation.

The fact is that earlier it was necessary to transfer the 3 received files somewhere to another OS and after that open them in any way: for example, through secretsdump.

How can this problem be avoided?

It is recommended that you restrict access to the content of %windir%system32config and delete all system restore points and shadow volumes that existed before the access restriction was introduced.

Or, if possible, install the latest Windows updates.

Also, don’t forget about this official Microsoft guide

Source: Windows Questions