CVE-2021-36934: Windows Elevation of Privilege Vulnerability Alert

Recently, Microsoft has issued a risk notice for Windows privilege escalation vulnerability, the vulnerability number is CVE-2021-36934 with the CVSS score of 7.8. Currently, there is no official patch for this vulnerability. An attacker who successfully exploited this vulnerability can elevate the authority of a normal user to SYSTEM authority and execute arbitrary code on the target machine. According to the official description, the vulnerability affects Windows 10 1809 and later versions and has certain version restrictions. However, since there is no official patch for this vulnerability, and there is a publicly PoC on the Internet, the exploitability of this vulnerability is still extremely high.

Vulnerability Detail

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

Solution

In this regard, we recommend that users refer to the repair suggestions for temporary defense in time.

Restrict access to the contents of %windir%\system32\config

Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e

Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies

  1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
  2. Create a new System Restore point (if desired).