Serious SAM vulnerability CVE-2021-36934

*** UPDATE - added Server 2016 to the relevance for the sample fixlet and upgraded to Beta ***

MS has another hot item this week
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934

Allowing for Everyone account to extract SAM information to leverage in NTLM hash attacks on Windows 10 1806 and greater.

some relevance that can help you detect this on your Windows 10 estate.

Q: (windows of it and name of it = "Win10") of operating system AND exists files "config/SAM" whose (exists entries whose (account name of trustee of it = "Users" and generic read permission of it and not deny type of it) of dacls of security descriptors of it) of native system folder
A: True

I have a sample Fixlet posted to the community here: https://bigfix.me/fixlet/details/26866

*** Sample Fixlet has had 64bit redirection added and been tested once. Please report back here if you try it and it works (or doesn’t) ***

It uses the icacls.exe command suggested in the MS article above

It uses a vssadm command to clear out all shadow copies, as documented in the article below

11 Likes

MS updated their notice to include Server 2019 as it is built with the same kernel as Win10

I updated the relevance in the fixlet that @brolly33 built to add Win2019:

(name of operating system = "Win10") or (name of operating system = "Win2019")

3 Likes

Is anyone seeing 2019 computers actually relevant? Manually checking some 2019 servers in our environment, we aren’t seeing that apply.

only have two dozen, at 1809 build and not relevant

Yeah, none of our 2019 servers are relevant. I went through the permissions manually to verify and that appears to be correct.

I’m wondering why Microsoft added it to their bulletin then? Am I missing something?

@mesee2
Thanks for calling out the addition of Server 2019.
Sample Fixlet updated to v2 with addition of Server 2019 relevance

From MS reporting a vulnerability it is right to limit the scope to only systems that would be configured this way as a default configuration. There might be some edge case they want to cover with the addition of Server 2019.

I might assert, from a system hardening point of view instead of a vulnerability point of view, that any Windows system that has the relaxed permissions on these folders is at risk and should be tightened up.

1 Like

Curiously, I’m not seeing a massive freakout on this one. Anyone have any guesses as to why? The ability to easily escalate to SYSTEM seems like kind of a big deal.

I agree, a curious lack of focus for the potential vulnerability.

Microsoft did update their guidance again to remove Windows Server from the scope after they initially added it.

This is definitely getting flagged by Crowdstrike as malicious when it attempts to delete the shadowcopies.

On the basis that ransomware tries to delete backups, it would look give the appearance of suspicious behaviour.

Does that stop the deletions happening or just raise loads of alerts (and are they maskable)?

In my case at least, it raises alerts and terminates the vssadmin.exe process.

In at least one customer environment in which I’m working, Crowdstrike flags only when we use vssadmin to delete ‘/all’ snapshots, but doesn’t flag if we delete one-by-one.
I built a custom copy of the fixlet that uses WMI to retrieve a list of snapshots and delete them individually, I should be able to post that here later today.
I don’t know whether our content team should change the action (and add a WMI lookup complexity) to avoid what is essentially a Crowdstrike problem though.

1 Like

This version of the Action Script will enumerate the shadow copies and delete them individually. That should avoid the problem of CrowdStrike flagging/blocking the use of the ‘vssadmin delete shadows /all’ command.

//redirect to 64 bit versions
action uses wow64 redirection false

//icacls command to apply permissions inheritance
waithidden cmd.exe /C icacls.exe "{pathname of windows folder}\system32\config\*.*" /inheritance:e

//Create & run batch to delete prior VSS shadow copies
delete __appendfile
appendfile {concatenation "%0d%0a" of ("%22" & pathname of file "vssadmin.exe" of native system folder & "%22 delete shadows /shadow=" & it & " /quiet") of string values of selects "ID from Win32_Shadowcopy" of wmis "root\cimv2"}

delete RemoveSnapshots.cmd
move __appendfile RemoveSnapshots.cmd
waithidden cmd.exe /c RemoveSnapshots.cmd
1 Like