You are currently viewing Elevation of Privilege Vulnerabilities affects Windows and Linux

Elevation of Privilege Vulnerabilities affects Windows and Linux

There are two new vulnerabilities that were discovered on Tuesday, which affect Windows and Linux machines. An easily exploitable privilege escalation vulnerability has been identified in Windows 10 build 1809 and above, and it is termed SeriousSAM aka HiveNightmare. SeriousSAM allows a local non-administrative user to have administrative-level privileges. The vulnerability is discovered by security researcher Jonas L (@jonasLyk), and CVE-2021-36934 tracks it.

A privilege escalation vulnerability has been found in Linux Kernel’s File system layer, Sequoia. The vulnerability affects all the revisions of Kernel from the year 2014. Sequoia allows a malicious user without root privilege to obtain root-level privileges, and CVE-2021-33909 tracks it. The vulnerabilities discovered by the cybersecurity company Qualys.


Vulnerabilities Details (CVE-2021-36934 and CVE-2021-33909)

An Important (CVSS:7.8) privilege escalation vulnerability (CVE-2021-36934) has been discovered in Windows 10 build 1809 and above. The vulnerability exists because the sensitive registry hives – Security Account Manager (SAM), SYSTEM, and SECURITY are READ enabled for all local users (BUILTIN\Users). These sensitive hives are stored in the C:\Windows\System32\config\ directory. SAM stores critical sensitive information like admin and user passwords in hash form and DPAPI computer keys.

Microsoft Security Advisory states, “An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

BUILTIN\Users group has RX permission to the config folder, and if VSS shadow copy of the system is available, then an attacker can :

  • Access account password hashes
  • Find the original windows installation password
  • Access DPAPI computer keys and can use it to decrypt all computer private keys.
  • Access computer machine account

On Linux, A privilege escalation vulnerability (CVE-2021-33909) has been found in Linux Kenel’s file system layer, which allows an unprivileged user to gain root privileges. The vulnerability affects Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34. RHEL 6, 7, and 8.

Qualys stated that this vulnerability affects Linux Kernel versions which are released after 2014. It is due to a size_t-to-int type conversion vulnerability in the fs/seq_file.c of “seq_file” file system interface in the Linux kernel. The flaw allows an unprivileged user to create, mount, and delete a deep directory structure with a total path length of more than 1GB resulting in the privilege escalation on the vulnerable machine.


Impact

Successful exploitation of the SeriousSAM vulnerability allows an attacker to escalate the privileges, run arbitrary code and access the sensitive information.

Successful exploitation of the Sequoia vulnerabilities allows an unprivileged user to gain root privileges.


Affected Applications

CVE-2021-36934: Windows 10 build 1809 and above

CVE-2021-33909: The vulnerability affects Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34. RHEL 6, 7, and 8 and OEL 6, 7, and 8.


Solutions

  • For CVE-2021-36934, Microsoft has released a workaround to mitigate this vulnerability:

To restrict access to C:\Windows\System32\config\

Open command prompt as administrator and run the following command:

icacls %windir%\system32\config\*.* /inheritance:e

Open Powershell as administrator and run the following command:

icacls $env:windir\system32\config\*.* /inheritance:e

Delete shadow copies created by Volume Shadow Copy Service (VSS)

Delete any system restore points and shadow copies that existed before restricting the access using the above command. Create a new restore point if required.

  • For CVE-2021-33909, respective operating system vendors have released security patches to fix this vulnerability.

SanerNow detects these vulnerabilities and automatically fixes them by applying security updates. Use SanerNow to keep your systems updated and secure. We strongly recommend applying the security updates as soon as possible following the instructions published in our support article.

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments