28th July 2021, Kathmandu
Microsoft Windows 10 and Windows 11 users are at risk of new unpatched vulnerabilities that have recently been publicly disclosed.
As we reported last week, the vulnerability SeriousSAM allows attackers with low-level permissions to access Windows system files to perform PasstheHash (and possibly Silver Ticket) attacks.
An attacker can use this vulnerability to obtain hashed passwords stored in the Security Account Manager (SAM) and the registry, and eventually, run arbitrary code with SYSTEM privileges. The
Serious sam vulnerability (numbered CVE202136934) exists in the default configuration of Windows 10 and Windows 11, especially because the setting allows “read” access to the built-in user group that contains all local users.
Therefore, local built-in users can access and read the SAM file and registry, and they can also view the hash value in it. Once an attacker has “user” access, they can use tools like Mimikatz to access the registry or SAM, steal the hash value, and convert it to a password. Invading domain users in this way will allow the attacker to gain greater authority on the network.
Since Microsoft has not yet provided an official patch, the best way to protect your environment from the SeriousSAM vulnerability is to implement hardening measures.
According to CalCom CTO Dvir Goren, there are three optional enforcement measures:
Remove all users from the built-in user pool – This is a good starting point, but you will not be protected if your administrator credentials are stolen.
Restrict SAM files and registry permissions that only administrators can access. Again, this can only solve part of the problem; just as an attacker stole the administrator credentials, you are still vulnerable to this vulnerability.
Storage of passwords and credentials for network authentication is not allowed; this rule is also recommended in CIS benchmarks. No hashes will be stored in the SAM or registry by implementing this rule, thus fully mitigating this vulnerability.
When using GPO for deployment, make sure to enable the following UI paths:
