Back to board Open MSRC

MSRC compact vulnerability detail

CVE-2021-36934 · Windows Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability. After installing this security update, you must manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. Simply installing this security update will not fully mitigate this vulnerability. See KB5005357- Delete Volume Shadow Copies.

Severity

Important

Impact

Elevation of Privilege

CVSS

7.8 base · 7.3 temporal

Release

2021-07-20

Signals

Microsoft Windows Elevation of Privilege Exploited: No Publicly disclosed: Yes Exploitability: Exploitation More Likely

CWE

No CWE data published.

Patch Diff

Loading module diff metadata...

Resolved binary override

Use this when the MSRC module name cannot be mapped automatically or the resolved binary looks wrong.

Old version New version

Description

FAQ / Articles

Workaround

We recommend installing this security update as soon as possible. If you must delay installation of this security update, we recommend this workaround: Restrict access to the contents of %windir%\system32\config Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e Delete Volume Shadow Copy Service (VSS) shadow copies Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config. Create a new System Restore point (if desired). Impact of workaround Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. For more information on how to delete shadow copies, see KB5005357- Delete Volume Shadow Copies. Note 1 You must restrict access and delete shadow copies to mitigate this vulnerability. Note 2 Even after installing this security update, you must delete all shadow copies of your system volume to fully mitigate this vulnerability. Caution Restoring your system from a backup could also restore the overly permissive ACLs, a...

FAQ

Why doesn't this security update fully mitigate this vulnerabilty? Fully mitigating this vulnerability involves deleting shadow copies of user data. To avoid deleting data without users' consent, we have opted to allow users to delete their shadow copies themselves. See KB5005357- Delete Volume Shadow Copies. Why doesn't this security update correct the ACLs on all files in %windir%\system32\config? This security update corrects the ACLs on specific system files, including the SAM database, that would allow an attacker to elevate privileges. To avoid unexpected behavior, this security update does not correct the ACLs on every file in %windir%\system32\config. I had manually corrected the ACLs on files in %windir%\system32\config and then deleted the shadow copies of my system volume. Do I need to delete the shadow copies again? No. If you correctly applied the workaround before installing this security update, then you do not need to delete any shadow copies again.

MSRC Fields

Module / Tag

Microsoft Windows

Release number

2021-Jul

Latest revision

2021-08-12

CNA

Microsoft

Customer action

required

Denial of service

N/A

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:T/RC:C

References

MSRC

Official detail

CVE Record

CVE.org

Revision History

v1 · 2021-07-20

Information published.

v2 · 2021-07-21

CVE updated as follows: 1) In the Security Updates table, affected versions of Windows have been added. 2) Workaround updated to include a link to information on how to delete shadow copies. 3) FAQ removed as it is no longer applicable. This CVE will be updated when more information or updates are available.

v3 · 2021-07-23

In the Security Updates table, removed Windows Server, version 20H2 (Server Core Installation) because it is not affected by this vulnerability.

v5 · 2021-08-10

CVE updated to announce that Microsoft is releasing the August 2021 security updates for all affected versions of Windows to address this vulnerability. Additionally, other information has been updated to provide further instructions for mitigating this vulnerability, including the following: 1) Executive Summary has been updated 2) Workarounds have been updated 3) FAQs have been added.

v5.1 · 2021-08-12

Updated FAQ information. This is an informational change only.

v1.1 · 2021-07-20

Updated Workaround information. This is an informational change only.

v4 · 2021-07-27

The following revisions have been made: 1) Removed Windows Server versions from the Security Updates table as they are not affected by this vulnerability. 2) Updated the Workaround information with a Caution regarding restoring a system from backup.