There are two new vulnerabilities that were discovered on Tuesday, which affect Windows and Linux machines. An easily exploitable privilege escalation vulnerability has been identified in Windows 10 build 1809 and above, and it is termed SeriousSAM aka HiveNightmare. SeriousSAM allows a local non-administrative user to have administrative-level privileges. The vulnerability is discovered by security researcher Jonas L (@jonasLyk), and CVE-2021-36934 tracks it.
A privilege escalation vulnerability has been found in Linux Kernel’s File system layer, Sequoia. The vulnerability affects all the revisions of Kernel from the year 2014. Sequoia allows a malicious user without root privilege to obtain root-level privileges, and CVE-2021-33909 tracks it. The vulnerabilities discovered by the cybersecurity company Qualys.
Vulnerabilities Details (CVE-2021-36934 and CVE-2021-33909)
An Important (CVSS:7.8) privilege escalation vulnerability (CVE-2021-36934) has been discovered in Windows 10 build 1809 and above. The vulnerability exists because the sensitive registry hives – Security Account Manager (SAM), SYSTEM, and SECURITY are READ enabled for all local users (BUILTIN\Users). These sensitive hives are stored in the
C:\Windows\System32\config\ directory. SAM stores critical sensitive information like admin and user passwords in hash form and DPAPI computer keys.
Microsoft Security Advisory states, “An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs, view, change, or delete data, or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability.”
BUILTIN\Users group has RX permission to the config folder, and if VSS shadow copy of the system is available, then an attacker can :
- Access account password hashes
- Find the original windows installation password
- Access DPAPI computer keys and can use it to decrypt all computer private keys.
- Access computer machine account
On Linux, A privilege escalation vulnerability (CVE-2021-33909) has been found in Linux Kenel’s file system layer, which allows an unprivileged user to gain root privileges. The vulnerability affects Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34. RHEL 6, 7, and 8.
Qualys stated that this vulnerability affects Linux Kernel versions which are released after 2014. It is due to a size_t-to-int type conversion vulnerability in the fs/seq_file.c of “seq_file” file system interface in the Linux kernel. The flaw allows an unprivileged user to create, mount, and delete a deep directory structure with a total path length of more than 1GB resulting in the privilege escalation on the vulnerable machine.
Successful exploitation of the SeriousSAM vulnerability allows an attacker to escalate the privileges, run arbitrary code and access the sensitive information.
Successful exploitation of the Sequoia vulnerabilities allows an unprivileged user to gain root privileges.
CVE-2021-36934: Windows 10 build 1809 and above
CVE-2021-33909: The vulnerability affects Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34. RHEL 6, 7, and 8 and OEL 6, 7, and 8.
- For CVE-2021-36934, Microsoft has released a workaround to mitigate this vulnerability:
To restrict access to
Open command prompt as administrator and run the following command:
icacls %windir%\system32\config\*.* /inheritance:e
Open Powershell as administrator and run the following command:
icacls $env:windir\system32\config\*.* /inheritance:e
Delete shadow copies created by Volume Shadow Copy Service (VSS)
Delete any system restore points and shadow copies that existed before restricting the access using the above command. Create a new restore point if required.
- For CVE-2021-33909, respective operating system vendors have released security patches to fix this vulnerability.
SanerNow detects these vulnerabilities and automatically fixes them by applying security updates. Use SanerNow to keep your systems updated and secure. We strongly recommend applying the security updates as soon as possible following the instructions published in our support article.