Microsoft Security has been talking about a relatively new system vulnerability for the past few days. Now, the company has come up with an effective fix for the ACL & SAM vulnerability. The said vulnerability CVE-2021-36934 is an important issue because it provides elevated privileges to the bad actor.
How to fix Windows Elevation of Privilege vulnerability
An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit the vulnerability, the bad actor must have access to the system and run a code in the first place. Microsoft is still investigating the issue, and more data is expected to be added to the CVE. For the time being, however, users can try two methods to disable the vulnerable part of the OS.
As mentioned, the vulnerabilities deal with ACL and SAM, which stand for Access Control Lists and Security Accounts Manager database. Once the vulnerability has been exploited, the hacker would be given SYSTEM privileges, meaning that almost any changes can be made.
Installing/removing programs, adding or deleting data, adding or removing accounts, and running arbitrary code are some of the potential causes. As per the official version, there has been no exploit of the vulnerability, and Microsoft was quick enough to offer a workaround. However, the company also mentions that exploitation using vulnerability is more likely and that users must follow the workaround as quickly as possible.
There are two steps to fix the issue.
In the first step, you have to run a Command Prompt or Windows PowerShell command that would limit access to the following directory:
%windir%\system32\config
Command Prompt (Run as administrator):
icacls %windir%\system32\config\*.* /inheritance:e
Windows PowerShell (Run as administrator):
icacls $env:windir\system32\config\*.* /inheritance:e
In the second step, the user has to remove Volume Shadow Copy Service shadow copies.
It would also require the removal of System Restore points.
Once these have been removed and the access to the %windir%\system32\config restricted, the user may create another System Restore point.
The problem with the workaround is that the user will lose access to existing System Restore points. It would not be a problem for those who have another form of backup, but individuals or organizations that entirely rely on System Restore points will be at stake.
It must be noted that the current workaround is a temporary fix. Microsoft will likely release a patch after it has investigated the issue thoroughly.
