Skip to main content

SeriousSAM Privilege Escalation Vulnerability

SeriousSAM is a local escalation-of-privilege vulnerability affecting some versions of Windows 10. An attacker could exploit this to obtain sensitive system and security data, which could then be used to take full control of affected systems and domains.

Threat ID:
CC-3914
Threat Severity:
Medium
Threat Vector:
Zero day
Published:
30 July 2021 9:36 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

SeriousSAM is a local escalation-of-privilege vulnerability affecting some versions of Windows 10. An attacker could exploit this to obtain sensitive system and security data, which could then be used to take full control of affected systems and domains.

Affected platforms

The following platforms are known to be affected:

Versions: 1809 onwards

Windows 10

Threat details

Introduction

Security researchers have discovered a vulnerability, known as SeriousSAM or HiveNightmare, in the access control lists (ACLs) for several registry hive files. An authenticated non-administrator user could exploit SeriousSAM to obtain these files, at which point they may use the files content to gain SYSTEM privileges and take full control of affected systems.

Vulnerability details

SeriousSAM appears to be the result of misconfigured ACLs for the DEFAULT, SAM (Security Account Manager), SECURITY, SOFTWARE, and SYSTEM registry hives. These hives contain system- and security-critical registry keys, configuration settings, and credential hashes; and by default they are only accessible by administrative users. In SeriousSAM-affected systems, all members of the \Users group are given read permissions to these hives, although the hives themselves are still unable to be accessed by this group when in use.

However, these registry hives are included in any Volume Shadow Service (VSS) copies made by the Windows System Protection service. Users may call historic VSS copies and access the hives from there. The data stored within these hives - and in particular the SAM hive - could be used to gain SYSTEM-level privileges. Additional domain access may potentially be gained via cached content within the other hives.

Publicly available exploits

There are now several publicly available proof-of-concept exploits for SeriousSAM.

Remediation advice

Affected organisations are encouraged to review Microsoft's CVE-2021-36934 security update guide and apply any relevant updates. Organisations unable to apply the updates should review Microsoft's suggest partial mitigations:

  • Restrict access to the contents of %windir%\system32\config using the the below commands:
    • icacls %windir%\system32\config\*.* /inheritance:e on Command Prompt
    • icacls $env:windir\system32\config\*.* /inheritance:e on PowerShell
  • Delete all vulnerable VSS shadow copies by:

  1. Deleting any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.

  2. Creating new System Restore points.

Both restricting access and deleting historic VSS copies are necessary to prevent SeriousSAM exploitation. For more information please review KB5005357 knowledge base article.

Last edited: 11 August 2021 1:05 pm