However, while testing the upcoming Windows 11 release, Lyk discovered that while Windows was restricting low-privileged users from accessing those sensitive configuration files, copies of these files were also being saved in backup files created by Shadow Volume Copy, a Windows feature that creates snapshots of computer files during filesystem operations. Bug discovered by accident while testing Windows 11 These are important Windows folders because they fold information such as hashed passwords for all Windows user accounts, security-related settings, data about encryption keys, and other core OS configuration details.Ī threat actor who can read files from these locations can extract crucial information that can allow them to gain access to user passwords and system settings that can be abused for malicious purposes.īecause of the sensitive data they store, only Windows admin accounts are allowed to interact with these configuration files. ![]() In particular, the vulnerability, nicknamed SeriousSAM, refers to how Windows 10 controls who can access folders like SAM, SECURITY, and SYSTEM. No hashes will be stored in the SAM or registry by implementing this rule, thus fully mitigating this vulnerability.SeriousSAM bug impacts all Windows 10 versions released in the past 2.5 yearsĪ security researcher has discovered a major vulnerability in the Windows 10 operating system that can allow threat actors to gain access to elevated privileges and user accounts passwords.ĭiscovered by Jonas Lyk over the weekend, the vulnerability resides in how Windows 10 grants access to some OS configuration files. Storage of passwords and credentials for network authentication is not allowed this rule is also recommended in CIS benchmarks. ![]() Again, this can only solve part of the problem just as an attacker stole the administrator credentials, you are still vulnerable to this vulnerability. ![]() Restrict SAM files and registry permissions that only administrators can access. Remove all users from the built-in user pool – This is a good starting point, but you will not be protected if your administrator credentials are stolen. Since Microsoft has not yet provided an official patch, the best way to protect your environment from the SeriousSAM vulnerability is to implement hardening measures.Īccording to CalCom CTO Dvir Goren, there are three optional enforcement measures: Invading domain users in this way will allow the attacker to gain greater authority on the network. Once an attacker has “user” access, they can use tools like Mimikatz to access the registry or SAM, steal the hash value, and convert it to a password. ![]() Therefore, local built-in users can access and read the SAM file and registry, and they can also view the hash value in it. Serious sam vulnerability (numbered CVE202136934) exists in the default configuration of Windows 10 and Windows 11, especially because the setting allows “read” access to the built-in user group that contains all local users. An attacker can use this vulnerability to obtain hashed passwords stored in the Security Account Manager (SAM) and the registry, and eventually, run arbitrary code with SYSTEM privileges.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |