Microsoft Windows 10 and Windows 11 users are at risk of a new unpatched vulnerability that was recently disclosed publicly.
As we reported last week, the vulnerability — SeriousSAM — allows attackers with low-level permissions to access Windows system files to perform a Pass-the-Hash (and potentially Silver Ticket) attack.
Attackers can exploit this vulnerability to obtain hashed passwords stored in the Security Account Manager (SAM) and Registry, and ultimately run arbitrary code with SYSTEM privileges.
SeriousSAM vulnerability, tracked as CVE-2021-36934, exists in the default configuration of Windows 10 and Windows 11, specifically due to a setting that allows 'read' permissions to the built-in user's group that contains all local users.
As a result, built-in local users have access to read the SAM files and the Registry, where they can also view the hashes. Once the attacker has 'User' access, they can use a tool such as Mimikatz to gain access to the Registry or SAM, steal the hashes and convert them to passwords. Invading Domain users that way will give attackers elevated privileges on the network.
Because there is no official patch available yet from Microsoft, the best way to protect your environment from SeriousSAM vulnerability is to implement hardening measures.
Mitigating SeriousSAM
According to Dvir Goren, CTO at CalCom, there are three optional hardening measures:
Delete all users from the built-in users' group — this is a good place to start from, but won't protect you if Administrator credentials are stolen.
Restrict SAM files and Registry permissions — allow access only for Administrators. This will, again, only solve part of the problem, as if an attacker steals Admin credentials, you will still be vulnerable to this vulnerability.
Don't allow the storage of passwords and credentials for network authentication — this rule is also recommended in the CIS benchmarks. By implementing this rule, there will be no hash stored in the SAM or registry, thereby mitigating this vulnerability completely.
When using GPOs for implementation, make sure the following UI Path is Enabled:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of passwords and credentials for network authentication
Despite the fact that the last recommendation offers a good solution for SeriousSAM, it may negatively impact your production if not properly tested before it is pushed. When this setting is enabled, applications that use scheduled tasks and need to store users' hashes locally will fail.
Mitigating SeriousSAM without risking causing damage to production
The following are Dvir's recommendations for mitigating without causing downtime:
- Set up a test environment that will simulate your production environment. Simulate all possible dependencies of your network as accurately as you can.
- Analyze the impact of this rule on your test environment. In this way, if you have applications that rely on hashes that are stored locally, you'll know in advance and prevent production downtime.
- Push the policy where possible. Make sure new machines are also hardened and that the configuration doesn't drift over time.
These three tasks are complex and require a lot of resources and in-house expertise. Therefore, Dvir's final recommendation is to automate the entire hardening process to save the need to perform stages 1, 2 and 3.
Here is what you will gain from a Hardening Automation Tool:
- Automatically generate the most accurate possible impact analysis report – hardening automation tools 'learns' your production dependencies and report to you the potential impact of each policy rule.
- Automatically enforce your policy on your entire production from a single point of control – using these tools, you won't need to do manual work, such as using GPOs. You can control and be certain all your machines are hardened.
- Maintain your compliance posture and monitor your machines in real-time – hardening automation tools will monitor your compliance posture, alert and remediate any unauthorized changes in configurations, therefore preventing configuration drifts.
Hardening automation tools will learn the dependencies directly from your network and automatically generate an accurate impact analysis report. A hardening automation tool will also help you orchestrate the implementation and monitoring process.
Sources
SeriousSAM Vulnerablity Changelog on Microsoft Vulnerability Update Guide. The Other Details Of the ChangeLog Stated As CVE-2021-36934
The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., tricking a legitimate user into opening a malicious document)