Microsoft Windows 10 and Windows 11 users are at risk of a new unpatched vulnerability that was recently disclosed publicly.
As we reported last week, the vulnerability — SeriousSAM — allows attackers with low-level permissions to access Windows system files to perform a Pass-the-Hash (and potentially Silver Ticket) attack.
Attackers can exploit this vulnerability to obtain hashed passwords stored in the Security Account Manager (SAM) and Registry, and ultimately run arbitrary code with SYSTEM privileges.
SeriousSAM vulnerability, tracked as CVE-2021-36934, exists in the default configuration of Windows 10 and Windows 11, specifically due to a setting that allows ‘read’ permissions to the built-in user’s group that contains all local users.
As a result, built-in local users have access to read the SAM files and the Registry, where they can also view the hashes. Once the attacker has ‘User’ access, they can use a tool such as Mimikatz to gain access to the Registry or SAM, steal the hashes and convert them to passwords. Invading Domain users that way will give attackers elevated privileges on the network.
Because there is no official patch available yet from Microsoft, the best way to protect your environment from SeriousSAM vulnerability is to implement hardening measures.
According to Dvir Goren, CTO at CalCom, there are three optional hardening measures:
When using GPOs for implementation, make sure the following UI Path is Enabled:
> Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of passwords and credentials for network authentication
Despite the fact that the last recommendation offers a good solution for SeriousSAM, it may negatively impact your production if not properly tested before it is pushed. When this setting is enabled, applications that use scheduled tasks and need to store users’ hashes locally will fail.
The following are Dvir’s recommendations for mitigating without causing downtime:
These three tasks are complex and require a lot of resources and in-house expertise. Therefore, Dvir’s final recommendation is to automate the entire hardening process to save the need to perform stages 1, 2 and 3.
Here is what you will gain from a Hardening Automation Tool:
Hardening automation tools will learn the dependencies directly from your network and automatically generate an accurate impact analysis report. A hardening automation tool will also help you orchestrate the implementation and monitoring process.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.