New Vulnerabilities in Windows and Linux Grant Attackers Elevated System Privileges

July 21, 2021

Recent findings have uncovered a local privilege escalation vulnerability in Microsoft’s Windows 10 and the soon-to-be-released Windows 11, enabling users with limited permissions to access critical system files. This loophole, referred to as “SeriousSAM,” allows unauthorized individuals to potentially reveal the operating system installation password and decrypt private keys.

According to a vulnerability note from the CERT Coordination Center (CERT/CC), since Windows 10 build 1809, non-administrative users have had access to the SAM, SYSTEM, and SECURITY registry hive files, which could lead to local privilege escalation (LPE). The affected operating system configuration files include:

  • c:\Windows\System32\config\sam
  • c:\Windows\System32\config\system
  • c:\Windows\System32\config\security

Microsoft, which has assigned the identifier CVE-2021-36934 to this vulnerability, has acknowledged the issue but has not yet released a patch.

New Windows and Linux Vulnerabilities Grant Attackers Elevated System Privileges

July 21, 2021

Recent discoveries have unveiled significant local privilege escalation vulnerabilities affecting Microsoft’s Windows 10 and the soon-to-be-released Windows 11. These flaws allow users with limited permissions to gain access to critical system files, creating avenues for attackers to recover the operating system installation password and decrypt sensitive private keys. This vulnerability has been dubbed “SeriousSAM.”

According to a vulnerability note published by the CERT Coordination Center (CERT/CC) on Monday, the issue specifically stems from changes made in Windows 10 build 1809. Non-administrative users are granted access to key registry files—the SAM, SYSTEM, and SECURITY hives—which can facilitate local privilege escalation. The critical files affected are located at c:\Windows\System32\config\sam, c:\Windows\System32\config\system, and c:\Windows\System32\config\security.

Microsoft has officially acknowledged the vulnerability, assigning it the identifier CVE-2021-36934. However, as of now, the company has not released a patch to address the issue. This delay poses a significant risk for businesses, placing both operational integrity and sensitive data at risk.

The implications of such vulnerabilities extend beyond immediate technical concerns. Business owners must consider how unpatched systems can serve as targets for exploitation, particularly for adversaries employing techniques such as privilege escalation. The MITRE ATT&CK framework indicates that attackers may exploit this vulnerability to gain unauthorized authority within a system, enhancing their ability to execute malicious actions without detection.

As attackers increasingly aim for elevated privileges, the importance of robust cybersecurity measures becomes paramount. Vigilance in monitoring system permissions and promptly applying available security updates can mitigate risks associated with these critical vulnerabilities.

This incident serves as a stark reminder for organizations, especially those in tech-centric sectors, to enhance their security postures in light of evolving threats. Awareness of potential vulnerabilities like SeriousSAM is crucial in developing a proactive approach to cybersecurity, ensuring that systems remain safeguarded against unauthorized access and data breaches.

For companies using affected versions of Windows, implementing compensatory controls while awaiting a formal patch is advisable. Strategies may include restricting access to sensitive files and reinforcing user authentication protocols to reduce the likelihood of exploitation while maintaining operational continuity.

As this situation continues to develop, stakeholders should stay informed and ready to adapt to evolving threats, reinforcing their resilience in an ever-changing cybersecurity landscape.

Source link

Related Posts

Apple Issues Critical 0-Day Patch for Mac, iPhone, and iPad

On July 27, 2021, Apple released a crucial security update for iOS, iPadOS, and macOS to fix a zero-day vulnerability that may have already been exploited. This marks the thirteenth such vulnerability Apple has addressed this year. The update, which follows the recent launch of iOS 14.7, iPadOS 14.7, and macOS Big Sur 11.5, resolves a memory corruption issue (CVE-2021-30807) in the IOMobileFrameBuffer, a kernel extension responsible for managing the screen framebuffer. This flaw could allow malicious actors to execute arbitrary code with kernel privileges. Apple stated that it has improved memory handling to mitigate this risk and acknowledged reports of potential exploitation. As is standard, specific details about the vulnerability have not been released to prevent further attacks. An anonymous researcher is credited with discovering and reporting the issue.

Security Flaws Discovered in Three Widely Used Open-Source Software Solutions

On July 27, 2021, cybersecurity researchers revealed nine vulnerabilities across three popular open-source projects—EspoCRM, Pimcore, and Akaunting. These platforms are commonly utilized by small to medium businesses, and successful exploitation of these flaws could lead to more advanced cyberattacks. The identified vulnerabilities affect EspoCRM v6.1.6, Pimcore Customer Data Framework v3.0.0, Pimcore AdminBundle v6.8.0, and Akaunting v2.1.12. Fortunately, all issues were addressed within a day of being disclosed, according to researchers Wiktor Sędkowski from Nokia and Trevor Christiansen from Rapid7. Notably, six of the nine vulnerabilities originated in the Akaunting project. EspoCRM serves as an open-source customer relationship management application, while Pimcore functions as an open-source enterprise platform for managing customer data, digital assets, content, and commerce. Akaunting provides open-source online accounting solutions.

Microsoft Alerts Users to New Unresolved Windows Print Spooler RCE Vulnerability

August 12, 2021

Following the release of its Patch Tuesday updates, Microsoft has revealed yet another remote code execution (RCE) vulnerability in the Windows Print Spooler component. The company is actively working on a fix for this issue, scheduled for an upcoming security update. Identified as CVE-2021-36958 (CVSS score: 7.3), this unaddressed vulnerability adds to the ongoing list of issues collectively referred to as PrintNightmare, which have affected the printing service in recent months. Victor Mata from FusionX, Accenture Security, credited with reporting the flaw, noted that the issue was disclosed to Microsoft back in December 2020. “A remote code execution vulnerability occurs when the Windows Print Spooler service improperly handles privileged file operations,” the company stated in its out-of-band bulletin, while reiterating the details of CVE-2021-34481. “An attacker who successfully exploits this vulnerability could execute arbitrary code with system-level privileges…