As if the list of software vulnerabilities and cybersecurity threats to mitigate isn’t long enough already, IT professionals now need to be aware of newly disclosed vulnerabilities in Windows and Linux operating systems that could give local attackers elevated privileges.
Both vulnerabilities were disclosed Tuesday and come as IT professionals grapple with keeping systems up to date as the list of zero-day exploits files up. Neither of these vulnerabilities are patched, but there are workarounds for each.
The Windows vulnerability, tracked as CVE-2021-36934, is a local elevation of privilege vulnerability that exists because of “overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database,” Microsoft said in an advisory.
A successful attacker could then run arbitrary code with SYSTEM privileges.
Microsoft is currently investigating and has confirmed that the issue affects Windows 10 versions 1809 and newer.
According to BleepingComputer, a security researcher discovered that the Windows 10 and Windows 11 Registry files associated with the SAM are accessible to the ‘Users” group that has low privileges on a device.
With these low file permissions, a threat actor with limited privileges on a device can extract the NTLM hashed passwords for all accounts on a device and use those hashes in pass-the-hash attacks to gain elevated privileges.
As the Registry files, such as the SAM file, are always in use by the operating system, when you attempt to access the file, you will receive an access violation as the files are open and locked by another program.
For example, threat actors can use the following Win32 device namespace path for shadow volume copies below to access the SAM file by any user on the computer.
Using these low and incorrect file permissions, along with shadow volume copies of the files, Security researcher and Mimikatz creator Benjamin Delpy has told BleepingComputer that you could easily steal an elevated account’s NTLM hashed password to gain higher privileges.
Microsoft’s recommended workaround is to restrict access to the contents of %windir%\system32\config and to delete volume shadow copies.
Read the advisory for more information.
Linux, too
Meanwhile, a local privilege escalation vulnerability in Linux could give any attacker root privileges on the vulnerable host, according to the Qualys research team.
Researchers say the vulnerability, tracked as CVE-2021-33909, exists in the Linux Kernel’s filesystem layer, which impacts most Linux operating systems, but Qualys only identified Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, Fedora 34 Workstation.
Qualys released this proof of concept video explaining the exploit:
“Other Linux distributions are likely vulnerable and probably exploitable,” Qualys researchers said in a report.
Red Hat has issued patches and is urging customers to update immediately.
Leave a Reply