Updated later on July 20, and again on July 21, to include comment from Microsoft.
There's a new and very serious flaw in recent versions of Windows 10 and Windows 11 that could let any local user without an administrative password, including malware installed by other means, take full control of the PC. No fix from Microsoft is available yet.
This vulnerability stems from an apparent change in recent versions of Windows 10 that permits even unprivileged users to be able to read the Security Account Manager (SAM), SYSTEM and SECURITY files in the Windows Registry, reported security researcher Jonas Lykkegaard on Twitter yesterday (July 19).
- Windows printing flaws can still hack your PC — here's what to do
- The best antivirus software
- Plus: Google Maps update could make pandemic travel safer
yarh- for some reason on win11 the SAM file now is READ for users.So if you have shadowvolumes enabled you can read the sam file like this:I dont know the full extent of the issue yet, but its too many to not be a problem I think. pic.twitter.com/kl8gQ1FjFtJuly 19, 2021
Just a couple of hours ago today (July 20), Will Dormann of the CERT Coordination Center (CERT/CC) at Carnegie-Mellon University in Pittsburgh issued a security advisory about this flaw.
Dormann believes that this flaw was introduced with Windows 10 build 1809, but in some cases it appears that how you install or upgrade Windows determines whether your machine is vulnerable. (Microsoft has since confirmed that it was introduced with 1809.)
What makes things tricky here is now where you are, but how you got there. e.g.Windows 10 20H2 RTM install: VULNERABLEWindows 10 20H2 RTM install + Windows Update: VULNERABLE20H2 November install - NOT VULNERABLEDo you remember which install media you used to get Windows 10? pic.twitter.com/fWaxVBdCWhJuly 20, 2021
So what's up with this Windows flaw?
The SAM file in the Windows Registry contains "hashed" versions of all the user passwords on a given Windows system, including the passwords of administrative users.
"Hashing" passwords means running them through a one-way encryption algorithm that cannot (in theory) be reversed. As an example, the hash of "password", using Microsoft's own NTLM algorithm, is "8846F7EAEE8FB117AD06BDD830B7586C".
The problem is that the NTLM algorithm is pretty weak, and hashes can often be "cracked," or reversed to give the original password.
Even worse, some Windows-related functions, such as accessing a networked server, let you log in using the NTLM hash rather than the password itself. So it's not good when any piece of software or any user on a Windows system can suddenly see the NTLM hashes of all the other users' passwords.
It's not easy for any user to access the SAM file while a computer is running. But Lykkegaard found that he, even as an unprivileged user, could access the backed-up version of the SAM file in the "shadow copy" that most Windows systems create.
A shadow copy is a backup, hidden on the main drive, of a Windows system's most important files. Your PC creates a shadow copy every time it installs a system update or upgrade. For most PCs, that means a new shadow copy every month.
A shadow copy isn't always that hidden. Even if it's using a unique file name, it's a predictable file name in a predictable location.
So crafty malware that got onto a PC via a phishing email, pirated software, or a malicious web link would be able to locate the SAM file in the shadow copy, read the user password hashes and probably have a fair chance at cracking the hashes or using them to log onto remote servers.
Even the best Windows 10 antivirus software might not be able to stop all such attacks.
Update: Microsoft security advisory
In the hours after we first published this story, Microsoft issued a security advisory for this flaw and issued it the catalogue number CVE-2021-36934.
"An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database," said the advisory.
"An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," it added. "An attacker must have the ability to execute code on a victim system to exploit this vulnerability."
The advisory promises future "mitigations and workarounds as our investigation progresses."
For the moment, the only mitigation for this flaw that Tom's Guide is aware of is outlined below. [UPDATE: Microsoft later on July 20 (in Pacific time) added a workaround to mitigate the flaw. See below.]
How to check if your PC is vulnerable
You can see if your PC is vulnerable to this flaw by checking two things.
First, fire up the Windows command-prompt (type "cmd" into the search bar at the bottom of the screen), type this, then hit Enter:
icacls c:\windows\system32\config\samIf you get a response that includes this line:
BUILTIN\Users:(I)(RX)... then it means unprivileged users can read the SAM file and your system may be vulnerable.
If so, then you'll want to check if shadow copies exist. For that, you'll need to be using the command-prompt as an administrator.
If you're not already an administrator, type "cmd" into the search bar again and then right-click "Command Prompt" and select "Run as administrator" and enter your Windows password or PC PIN when prompted.
Once the command-prompt window is open, type this and hit Enter:
vssadmin list shadowsYou may get a full report that looks like this. If so, then you have shadow copies:
Contents of shadow copy set ID: {d9e0503a-bafa-4255-bfc5-b781cb27737e}
Contained 1 shadow copies at creation time: 7/19/2021 9:30:13 AM
Shadow Copy ID: {5b5d02a8-44e9-420e-9ec9-a585cd991ed8}
Original Volume: (C:)\\?\Volume{b7f4115b-4242-4e13-84c0-869524965718}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2
Originating Machine: DESKTOP-CHOLLIMA
Service Machine: DESKTOP-CHOLLIMA
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessibleWriters
Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recoveredHere's what you might get if you don't:
No items found that satisfy the query.If regular users can read the SAM file AND shadow copies exist, then your Windows system is vulnerable to attack.
So I'm vulnerable. Now what?
CERT/CC's Dormann recommends taking the following steps to dodge the risk of attacks using this flaw. Note that this workaround will delete existing shadow copies, so your computer will temporarily be without a restore point.
1. Fire up an administrative command-line window, as above. (Windows PowerShell will work too.)
2. Block "Users" from accessing sensitive Registry files by typing in the following commands and hitting Enter after each one:
icacls %windir%\system32\config\sam /remove "Users"
icacls %windir%\system32\config\security /remove "Users"
icacls %windir%\system32\config\system /remove "Users"2a. Update: Microsoft suggests a different command that should achieve the same result. In Command Prompt, it looks like this:
icacls %windir%\system32\config\*.* /inheritance:eThat should probably work in PowerShell too, but Microsoft suggests a slight variation for PowerShell:
icacls $env:windir\system32\config\*.* /inheritance:e3. Delete existing shadow copies on each drive. For the C: drive, type this into the command line and hit Enter:
vssadmin delete shadows /for=c: /Quiet4. Continue on other drives you may have, such as D:, E: and so on.
5. Check that all shadow copies have been deleted by typing this in again and hitting Enter:
vssadmin list shadowsYou should get this as a response:
No items found that satisfy the query.6. Reboot your machine.
7. Create a new restore point by typing "create" into the search bar, selecting "Create a restore point" and clicking the "Create" button in the pop-up windows that appears.
After you make these changes, future shadow copies should have the proper read-write permissions so that unprivileged users cannot access them by any means.
