[SANS ISC] “Summer of SAM”: Microsoft Releases Guidance for CVE-2021-36934, (Wed, Jul 21st)

Microsoft released a knowledge base article regarding CVE-2021-36934 [1]. Bojan yesterday explained the vulnerability in more detail. Recent versions of Microsoft Windows expose several system files due to overly permissive access control lists. Of main interest is the Security Accounts Manager (SAM), which exposes password hashes. It has been demonstrated how this can easily be exploited by retrieving these files from shadow volumes.

Microsoft recommends to:

restrict access to %windir%system32config
delete shadow copies

Deleting shadow copies will of course affect any attempts to restore a prior system state. A new shadow copy may be created after the old copies are deleted and the permissions are adjusted.

Windows 10 1809 and newer are affected. This includes the Windows 11 Beta. Server versions of Windows are not affected. But Microsoft also states that they are still investigating which versions are affected.

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[SecurityWeek] ‘Sabbath’ Ransomware Operators Target Critical Infrastructure

All posts, Security Week

Since June 2021, a relatively new ransomware group called Sabbath has been targeting critical infrastructure in the United States and Canada, including education, health and natural resources. read more Source: Read More (SecurityWeek RSS Feed)

Read More

Daily NCSC-FI news followup 2020-08-13

Alert (AA20-225A) – Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails us-cert.cisa.gov/ncas/alerts/aa20-225a The Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking an unknown malicious cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phishing emails. These emails include a malicious link to the spoofed SBA […]

Read More

[SANS ISC] Backdooring PAM, (Sun, Nov 21st)

All posts, Sans-ISC

Xavier’s diary entry “(Ab)Using Security Tools & Controls for the Bad” on PAM, reminded me of a script to backdoor pam_unix.so: linux-pam-backdoor. This script will download the PAM source code, patch it to add an hardcoded skeleton key password, and compile it. There’s also a script to detect backdoored pam_unix.so files like this: linux-pam-backdoor-detect.sh This […]

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.