Microsoft Windows 10 and Windows 11 users are at risk of a new unpatched vulnerability that was recently disclosed publicly.
The vulnerability — SeriousSAM — allows attackers with low-level permissions to access Windows system files to perform a Pass-the-Hash (and potentially Silver Ticket) attack.
Attackers can exploit this vulnerability to obtain hashed passwords stored in the Security Account Manager (SAM) and Registry, and ultimately run arbitrary code with SYSTEM privileges.
SeriousSAM vulnerability, tracked as CVE-2021-36934, exists in the default configuration of Windows 10 and Windows 11, specifically due to a setting that allows ‘read’ permissions to the built-in user’s group that contains all local users.
As a result, built-in local users have access to read the SAM files and the Registry, where they can also view the hashes. Once the attacker has ‘User’ access, they can use a tool such as Mimikatz to gain access to the Registry or SAM, steal the hashes and convert them to passwords. Invading Domain users that way will give attackers elevated privileges on the network.
Because there is no official patch available yet from Microsoft, the best way to protect your environment from SeriousSAM vulnerability is to implement hardening measures.
Mitigating SeriousSAM
According to Sky Houston, CTO at GeeksByTheHour, there are three optional hardening measures:
- Delete all users from the built-in users’ group — this is a good place to start from, but won’t protect you if Administrator credentials are stolen.
- Restrict SAM files and Registry permissions — allow access only for Administrators. This will, again, only solve part of the problem, as if an attacker steals Admin credentials, you will still be vulnerable to this vulnerability.
- Don’t allow the storage of passwords and credentials for network authentication — By implementing this rule, there will be no hash stored in the SAM or registry, thereby mitigating this vulnerability completely.
When using GPOs for implementation, make sure the following UI Path is Enabled:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of passwords and credentials for network authentication
Despite the fact that the last recommendation offers a good solution for SeriousSAM, it may negatively impact your production if not properly tested before it is pushed. When this setting is enabled, applications that use scheduled tasks and need to store users’ hashes locally will fail.