Microsoft has disclosed yet another critical vulnerability not long since PrintNightmare was disclosed. This privilege elevation vulnerability lies in the overly permissive Access Control Lists (ACLs) on the important and sensitive Security Accounts Manager (SAM) database, SYSTEM and SECURITY registry hives. This means that an attacker with a standard non-administrative account can in theory achieve local privilege escalation, masquerade as other users and/or achieve the following:
- Discover the original Windows installation password using registry forensics.
- Extract and leverage account password hashes via the SAM.
- Obtain a computer machine account, to be used in a Kerberos silver ticket attack.
- Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
Microsoft has released a temporary workaround for the vulnerability until it is fixed officially:
Restrict access to the contents of %windir%\system32\config:
- Open Command Prompt or Windows Powershell as an administrator.
- Run: icacls %windir%\system32\config\*.* /inheritance:e
Delete Volume Shadow Copy Service (VSS) shadow copies:
- Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config
- Create a new System Restore point (if desired).
Impact of workaround: Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.
Note: You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.
We are always closely monitoring for targeted threats towards our customers. New indicators of compromise that we find are automatically added in real-time to our MDR and incident response capability.