CVE-2021-36934: Windows Elevation of Privilege Vulnerability

Overview

Severity
High (CVSS 7.8)
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:T/RC:C
Category
Elevation of Privilege
Exploit Status
Not Exploited
Exploitation Likelihood
More Likely
Publicly Disclosed
Yes
Patch Tuesday
2021-Jul
Released
2021-07-20
Last Updated
2021-08-12
EPSS Score
90.16% (percentile: 99.6%)
CISA KEV
Listed — due 2022-02-24

Description

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability. After installing this security update, you must manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. Simply installing this security update will not fully mitigate this vulnerability. See KB5005357- Delete Volume Shadow Copies.

FAQ

Why doesn't this security update fully mitigate this vulnerabilty? Fully mitigating this vulnerability involves deleting shadow copies of user data. To avoid deleting data without users' consent, we have opted to allow users to delete their shadow copies themselves. See KB5005357- Delete Volume Shadow Copies. Why doesn't this security update correct the ACLs on all files in %windir%\system32\config? This security update corrects the ACLs on specific system files, including the SAM database, that would allow an attacker to elevate privileges. To avoid unexpected behavior, this security update does not correct the ACLs on every file in %windir%\system32\config. I had manually corrected the ACLs on files in %windir%\system32\config and then deleted the shadow copies of my system volume. Do I need to delete the shadow copies again? No. If you correctly applied the workaround before installing this security update, then you do not need to delete any shadow copies again.

Known Exploits (21)

  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2025-06-09T00:42:29Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-08-12T18:01:21Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-08-10T19:39:28Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-08-02T13:47:17Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-08-01T19:54:31Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-07-29T20:35:22Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-07-26T08:01:08Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-07-26T06:51:37Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-07-25T18:00:35Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-07-25T00:31:11Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-07-24T14:58:10Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-07-24T00:08:04Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-07-22T21:54:45Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-07-22T14:53:09Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-07-22T12:24:24Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-07-22T03:07:56Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-07-22T00:55:23Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-07-21T17:24:44Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-07-20T22:16:49Z
  • Microsoft Windows SAM Local Privilege Escalation Vulnerability — added 2021-07-20T11:35:43Z

Detection & Weaponization (3 sources)

Maturity: Detection

  • Metasploit modules: Windows SAM secrets leak - HiveNightmare
  • YARA rules: ARKBIRD_SOLG_Exp_CVE_2021_36934_July_2021_1, DITEKSHEN_INDICATOR_TOOL_EXP_Serioussam01
  • GitHub PoC: 23 repositories

Affected Products (15)

Windows

  • Windows 10 Version 1809 for 32-bit Systems
  • Windows 10 Version 1809 for x64-based Systems
  • Windows 10 Version 1809 for ARM64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 21H1 for x64-based Systems
  • Windows 10 Version 21H1 for ARM64-based Systems
  • Windows 10 Version 21H1 for 32-bit Systems
  • Windows 10 Version 2004 for 32-bit Systems
  • Windows 10 Version 2004 for ARM64-based Systems
  • Windows 10 Version 2004 for x64-based Systems
  • Windows 10 Version 20H2 for x64-based Systems
  • Windows 10 Version 20H2 for 32-bit Systems
  • Windows 10 Version 20H2 for ARM64-based Systems

Security Updates (3)

Revision History

  • 2021-07-20: Information published.
  • 2021-07-20: Updated Workaround information. This is an informational change only.
  • 2021-07-21: CVE updated as follows: 1) In the Security Updates table, affected versions of Windows have been added. 2) Workaround updated to include a link to information on how to delete shadow copies. 3) FAQ removed as it is no longer applicable. This CVE will be updated when more information or updates are available.
  • 2021-07-23: In the Security Updates table, removed Windows Server, version 20H2 (Server Core Installation) because it is not affected by this vulnerability.
  • 2021-07-27: The following revisions have been made: 1) Removed Windows Server versions from the Security Updates table as they are not affected by this vulnerability. 2) Updated the Workaround information with a Caution regarding restoring a system from backup.
  • 2021-08-10: CVE updated to announce that Microsoft is releasing the August 2021 security updates for all affected versions of Windows to address this vulnerability. Additionally, other information has been updated to provide further instructions for mitigating this vulnerability, including the following: 1) Executive Summary has been updated 2) Workarounds have been updated 3) FAQs have been added.
  • 2021-08-12: Updated FAQ information. This is an informational change only.