Microsoft shares workaround for Windows 10 SeriousSAM vulnerability

Microsoft shares workarounds for new Windows 10 zero-day bug

Microsoft has shared a workaround for a Windows 10 zero-day vulnerability (dubbed SeriousSAM) that can let attackers gain admin rights on vulnerable systems and execute arbitrary code with SYSTEM privileges.

As BleepingComputer previously reported, a local elevation of privilege bug found in recently released Windows versions allows users with low privileges to access sensitive Registry database files.

Affects Windows 10 versions released since 2018

The security flaw, publicly disclosed by security researcher Jonas Lykkegaard on Twitter and yet to receive an official patch, is now tracked by Microsoft as CVE-2021-36934.

“An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database,” Microsoft explains in a security advisory published on Tuesday evening.

“An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability.”

As Microsoft further revealed, this zero-day vulnerability impacts all Windows client and server versions released during the last three years, since October 2018, starting with Windows 10 1809 and Windows Server 2019.

Lykkegaard also found that Windows 11 (Microsoft’s not yet officially released OS) is also impacted.

Workaround now available

The databases exposed to user access by this bug (i.e., SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE) are stored under the C:Windowssystem32config folder.

Mimikatz creator Benjamin Delpy told BleepingComputer that anyone could easily take advantage of the incorrect file permissions to steal an elevated account’s NTLM hashed password and gain higher privileges via a pass-the-hash attack.

While attackers can’t directly access the databases due to access violations triggered by the files always being in use by the OS, they can access them through shadow volume copies.

Microsoft recommends restricting access to the problematic folder AND deleting Volume Shadow Copy Service (VSS) shadow copies to mitigate this issue.

Users should be aware that removing shadow copies from their systems could impact system and file restore operations, such as restoring data using third-party backup apps.

These are the steps needed to block exploitation of this vulnerability temporarily:

Restrict access to the contents of %windir%system32config:

  1. Open Command Prompt or Windows PowerShell as an administrator.

  2. Run this command:

Delete Volume Shadow Copy Service (VSS) shadow copies:

  1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%system32config.

  2. Create a new System Restore point (if desired).

Additional info on how to delete shadow copies is available in the KB5005357- Delete Volume Shadow Copies support document.

Microsoft is still investigating the vulnerability and is working on a patch that will most likely be released as an out-of-band security update later this week. 

“We are investigating and will take appropriate action as needed to help keep customers protected,” Microsoft told BleepingComputer.

Update: Added more info on affected Windows versions, deleting shadow copies.