There are two new vulnerabilities that were discovered on Tuesday, which affect Windows and Linux machines. An easily exploitable privilege escalation vulnerability has been identified in Windows 10 build 1809 and above, and its name is SeriousSAM, aka HiveNightmare. SeriousSAM allows a local non-administrative user to have administrative-level privileges. The vulnerability has come to light via security researcher Jonas L (@jonasLyk), and CVE-2021-36934 tracks it. A good vulnerability management tool can solve these problems.
A privilege escalation vulnerability has been found in Linux Kernel’s File system layer, Sequoia. The vulnerability affects all the revisions of Kernel from the year 2014. However, Sequoia allows a malicious user without root privilege to obtain root-level privileges, and CVE-2021-33909 tracks it. The vulnerabilities discovered by the cybersecurity company Qualys. Vulnerability Management Software can resolve these issues.
Vulnerabilities Details of SeriousSam(CVE-2021-36934 and CVE-2021-33909)
An Important (CVSS:7.8) privilege escalation vulnerability (CVE-2021-36934) is present in Windows 10 build 1809 and above. The vulnerability exists because the sensitive registry hives – Security Account Manager (SAM), SYSTEM, and SECURITY is present for all local users (BUILTIN\Users). These sensitive hives are stored in the C:\Windows\System32\config\ directory. SAM stores critical sensitive information like admin and user passwords in hash form and DPAPI computer keys.
Microsoft Security Advisory states, “An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. They could install programs, view, change, delete data, or create new accounts with full user rights. An attacker must be able to execute code on a victim system to exploit this vulnerability.”
BUILTIN\Users group has RX permission to the config folder, and if a VSS shadow copy of the system is available, then an attacker can :
- Access account password hashes
- Find the original Windows installation password
- Access DPAPI computer keys and can use them to decrypt all private computer keys.
- Access computer machine account
CVE-2021-33909:
On Linux, A privilege escalation vulnerability (CVE-2021-33909) is present in Linux Kernel’s file system layer, which allows an unprivileged user to gain root privileges. The vulnerability affects Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34. RHEL 6, 7, and 8.
Qualys states that this vulnerability affects Linux Kernel versions that are coming after 2014. It is due to a size_t-to-int type conversion vulnerability in the fs/seq_file.c of the “seq_file” file system interface in the Linux kernel. The flaw allows an unprivileged user to create, mount, and delete a deep directory structure with a total path length of more than 1GB resulting in the privilege escalation on the vulnerable machine.
Impact
Successful exploitation of the SeriousSAM vulnerability allows an attacker to escalate the privileges, run arbitrary code, and, therefore, access sensitive information.
Successful exploitation of the Sequoia vulnerabilities allows an unprivileged user to gain root privileges.
Affected Applications
CVE-2021-36934: Windows 10 build 1809 and above
CVE-2021-33909: The vulnerability affects Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34. RHEL 6, 7, and 8 and OEL 6, 7, and 8.
Solutions
- For CVE-2021-36934, Microsoft has released a workaround to mitigate this vulnerability:
To restrict access to C:\Windows\System32\config\
Open the command prompt as administrator and run the following command:
icacls %windir%\system32\config\*.* /inheritance:e
Open Powershell as administrator and run the following command:
icacls $env:windir\system32\config\*.* /inheritance:e
Delete shadow copies created by Volume Shadow Copy Service (VSS)
Delete any system restore points and shadow copies that existed before restricting the access using the above command. Create a new restore point if required.
- For CVE-2021-33909, respective operating system vendors have released security patches to fix this vulnerability.
SanerNow detects these vulnerabilities and automatically fixes them by applying security updates. Use SanerNow to keep your systems updated and secure. We strongly recommend applying the security updates as soon as possible following the instructions published in our support article.