Go over, PrintNightmare. Microsoft has another privilege escalation hole in Windows that could potentially be exploited by rogue users and malicious software to gain administration level.
Meanwhile, a make-me-root hole was found in recent Linux kernels.
Newer versions of Windows 10, and preview of Windows 11, have a misconfigured access control list (ACL) for Security Account Manager (SAM), SYSTEM and SECURITY registry hive files.
As a result of this error, non-administrative users could read these databases, if a VSS shadow copy of the system drive is present, and potentially use the contents to obtain elevated privileges. According to US CERT Advice, this issue appears to be affecting Windows 10 build 1809 and later.
The advisor says that if this fails to be exploited, this error, called by someone like HiveNightmare, can be used to:
Or, shorter, “a locally authenticated attacker may be able to achieve [local privilege escalation], disguised as other users, or achieve other security-related influences. This can be used to thoroughly infect a system with malicious software, snoop on other users and so on.
You may think you are safe because your Windows PC does not have a suitable VSS shadow copy, but there are still ways to end up creating a silent and endangering the computer.
According to the instructions: “Please note that VSS shadow copies may not be available in some configurations, but just having a system drive larger than 128 GB in size and then performing a Windows Update or installing an MSI will ensure that a VSS shadow copy will be created automatically. “
US-CERT describes how to detect if you have VSS shadow copies available, and that involves driving
vssadmin list shadows as a privileged user and see if any shadow copies are listed.
VSS shadow copies are a key ingredient because registry files are used by Windows during normal operation, so a normal user cannot access them even with a loose ACL. However, if shadow copies are available, you will find that you can open copies of the files for inspection thanks to the sloppy ACL.
Microsoft is aware of the error, which is assigned ID CVE-2021-36934, and said:
When word of the bug came out earlier this week, it did not escape the attention of the infosec community. Mimikatz creator Benjamin Delpy tweets:
Bad month Microsoft, hmm? https://t.co/Ol3Zm1OVSr pic.twitter.com/eXFpJlmash
– 🥝 Benjamin Delpy (@gentilkiwi) July 19, 2021
Referring to the VSS requirement for exploitation, Delpy said The register: “The snapshot is not the real issue, it’s the ACL.” And you do not have to crack the hash; it may be possible to use Mimikatz, for example, to revoke the rights using this extracted data.
Delpy shared a video that demonstrated just that, and credited Jonas Lykkegaard for discovering the ACL loss.
Question: What can you do when you have #mimikatz🥝 and some read access on Windows system files such as SYSTEM, SAM and SECURITY?
A: Escalation of local privilege 🥳
Thank you @jonasLyk for this Read access on standard Windows😘 pic.twitter.com/6Y8kGmdCsp
– 🥝 Benjamin Delpy (@gentilkiwi) July 20, 2021
This is not a clear problem, as some people claim that their Windows 10 installations are not vulnerable when it comes to deployments. We are waiting for more info from Microsoft. In the meantime, see the above advice for instructions on reducing vulnerability. ®
It’s not just Windows: a security hole has been discovered in Linux kernels since version 3.16 that can be exploited by junk users and malicious software already in a system to gain root level privileges. The vulnerability has been assigned to ID CVE-2021-33909.
Called Sequoia by the Qualys team that found and responsibly reported the bug, we are told that the bug is present in “standard installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11 and Fedora 34 Workstation. Other Linux distributions are probably vulnerable and likely exploitable. “So check for updates and install them as soon as you can, as updates should be available now or shortly for distro.
Technical details of file system code level programming errors are here. Qualys’ proof-of-concept utilization required 5 GB of RAM and one million inodes to succeed.
Qualys also discovered another vulnerability in Linux systems, CVE-2021-33910, a denial-of-service kernel panic via systemd. Updates are also available, so take the updates as well.