Microsoft Security has talked about a relatively new system vulnerability in recent days. Now the company has come up with an effective solution for the ACL and SAM vulnerability. The so-called vulnerability CVE-2021-36934 is a significant problem because it provides high privileges to the wrong actor.
How to fix the Windows elevation of privilege vulnerability
An elevation of privilege vulnerability exists due to overly permissive access control lists (ACLs) on several system files, including the Security Account Manager (SAM) database. An attacker who successfully exploited this vulnerability could execute arbitrary code with SYSTEM privileges. An attacker could then install programs; view, modify or delete data; or create new accounts with full user rights.
To exploit the vulnerability, the wrong actor must gain access to the system and execute code first. Microsoft is still investigating the issue and more data should be added to the CVE. At the moment, however, there are two methods that users can try to disable the vulnerable part of the operating system.
As mentioned, the vulnerabilities relate to ACL and SAM, which mean Access control lists and Security Account Manager database. Once the vulnerability was exploited, the hacker would be granted SYSTEM privileges, which means that almost any modification can be made.
Installing / removing programs, adding or removing data, adding or removing accounts, and executing arbitrary code are some of the potential causes. According to the official version, there have been no exploits of the vulnerability, and Microsoft was quick enough to come up with a workaround. However, the company also mentions that exploitation using the vulnerability is more likely and users should follow the workaround as quickly as possible.
There are two steps to solve the problem.
In the first step, you need to run a command prompt or Windows PowerShell command that would restrict access to the following directory:
Command Prompt (run as administrator):
icacls %windir%system32config*.* /inheritance:e
Windows PowerShell (Run as administrator):
icacls $env:windirsystem32config*.* /inheritance:e
In the second step, the user needs to delete the shadow copies from the Volume Shadow Copy Service.
It would also require removing system restore points.
Once these have been deleted and access to the
%windir%system32config restricted, the user can create another system restore point.
The problem with the workaround is that the user will lose access to existing system restore points. It wouldn’t be a problem for those with some other form of backup, but individuals or organizations who are completely dependent on system restore points will be at stake.
Note that the current workaround is an interim fix. Microsoft will likely release a fix after investigating the issue thoroughly.