{"@odata.context":"https://api.msrc.microsoft.com/sug/v2.0/sugodata/v2.0/en-US/$metadata#vulnerability/$entity","id":"00000000-0000-0000-0000-000010cb0175","releaseDate":"2021-07-20T07:00:00Z","cveNumber":"CVE-2021-36934","cveTitle":"Windows Elevation of Privilege Vulnerability","releaseNumber":"2021-Jul","vulnType":"Security Vulnerability","latestRevisionDate":"2021-08-12T07:00:00Z","description":"

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

\n

An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

\n

After installing this security update, you must manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. Simply installing this security update will not fully mitigate this vulnerability. See KB5005357- Delete Volume Shadow Copies.

\n","cweList":[],"cweDetailsListForSearch":[],"unformattedDescription":"An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nAn attacker must have the ability to execute code on a victim system to exploit this vulnerability.\n\nAfter installing this security update, you _must_ manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. **Simply installing this security update will not fully mitigate this vulnerability.** See [KB5005357- Delete Volume Shadow Copies](https://support.microsoft.com/topic/1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7).","mitreText":"CVE-2021-36934","mitreUrl":"https://www.cve.org/CVERecord?id=CVE-2021-36934","publiclyDisclosed":"Yes","exploited":"No","latestSoftwareReleaseId":1,"latestSoftwareRelease":"Exploitation More Likely","olderSoftwareReleaseId":0,"denialOfService":"N/A","tag":"Microsoft Windows","issuingCna":"Microsoft","issuingCnaId":0,"severityId":100000001,"severity":"Important","impactId":100000002,"impact":"Elevation of Privilege","langCode":"en-US","baseScore":"7.8","temporalScore":"7.3","vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:T/RC:C","isMariner":false,"customerActionRequired":true,"customerActionRequiredId":0,"cweDetailsList":[],"articles":[{"articleType":"Workaround","description":"

We recommend installing this security update as soon as possible. If you must delay installation of this security update, we recommend this workaround:

\n

Restrict access to the contents of %windir%\\system32\\config

\n

Command Prompt (Run as administrator): icacls %windir%\\system32\\config\\*.* /inheritance:e

\n

Windows PowerShell (Run as administrator): icacls $env:windir\\system32\\config\\*.* /inheritance:e

\n

Delete Volume Shadow Copy Service (VSS) shadow copies

\n
    \n

  1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\\system32\\config.

    \n
    2. \n

  2. Create a new System Restore point (if desired).

    \n
    3. \n
\n

Impact of workaround Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. For more information on how to delete shadow copies, see KB5005357- Delete Volume Shadow Copies.

\n

Note 1 You must restrict access and delete shadow copies to mitigate this vulnerability.

\n

Note 2 Even after installing this security update, you must delete all shadow copies of your system volume to fully mitigate this vulnerability.

\n

Caution Restoring your system from a backup could also restore the overly permissive ACLs, and therefore revert your system to a vulnerable state. After restoring a backup, you must verify that the ACLs are correct to ensure that the restore operation did not reintroduce this vulnerability.

\n","ordinal":10000},{"articleType":"FAQ","description":"

Why doesn't this security update fully mitigate this vulnerabilty?

\n

Fully mitigating this vulnerability involves deleting shadow copies of user data. To avoid deleting data without users' consent, we have opted to allow users to delete their shadow copies themselves. See KB5005357- Delete Volume Shadow Copies.

\n

Why doesn't this security update correct the ACLs on all files in %windir%\\system32\\config?

\n

This security update corrects the ACLs on specific system files, including the SAM database, that would allow an attacker to elevate privileges. To avoid unexpected behavior, this security update does not correct the ACLs on every file in %windir%\\system32\\config.

\n

I had manually corrected the ACLs on files in %windir%\\system32\\config and then deleted the shadow copies of my system volume. Do I need to delete the shadow copies again?

\n

No. If you correctly applied the workaround before installing this security update, then you do not need to delete any shadow copies again.

\n","ordinal":10000}],"revisions":[{"cveNumber":"CVE-2021-36934","version":1,"revisionDate":"2021-07-20T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

Information published.

\n","unformattedDescription":"Information published.","notificationNeeded":false,"notificationSent":false,"sourceId":"a8808df7-8ce9-eb11-a842-000d3a6d3364"},{"cveNumber":"CVE-2021-36934","version":2,"revisionDate":"2021-07-21T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

CVE updated as follows: 1) In the Security Updates table, affected versions of Windows have been added. 2) Workaround updated to include a link to information on how to delete shadow copies. 3) FAQ removed as it is no longer applicable. This CVE will be updated when more information or updates are available.

\n","unformattedDescription":"CVE updated as follows: 1) In the Security Updates table, affected versions of Windows have been added. 2) Workaround updated to include a link to information on how to delete shadow copies. 3) FAQ removed as it is no longer applicable. This CVE will be updated when more information or updates are available.","notificationNeeded":false,"notificationSent":false,"sourceId":"72d09efa-85ea-eb11-a843-000d3a6d3364"},{"cveNumber":"CVE-2021-36934","version":3,"revisionDate":"2021-07-23T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

In the Security Updates table, removed Windows Server, version 20H2 (Server Core Installation) because it is not affected by this vulnerability.

\n","unformattedDescription":"In the Security Updates table, removed Windows Server, version 20H2 (Server Core Installation) because it is not affected by this vulnerability.","notificationNeeded":false,"notificationSent":false,"sourceId":"51bd4706-00ec-eb11-a843-000d3a6d3364"},{"cveNumber":"CVE-2021-36934","version":5,"revisionDate":"2021-08-10T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

CVE updated to announce that Microsoft is releasing the August 2021 security updates for all affected versions of Windows to address this vulnerability. Additionally, other information has been updated to provide further instructions for mitigating this vulnerability, including the following: 1) Executive Summary has been updated 2) Workarounds have been updated 3) FAQs have been added.

\n","unformattedDescription":"CVE updated to announce that Microsoft is releasing the August 2021 security updates for all affected versions of Windows to address this vulnerability. Additionally, other information has been updated to provide further instructions for mitigating this vulnerability, including the following: 1) Executive Summary has been updated 2) Workarounds have been updated 3) FAQs have been added.","notificationNeeded":false,"notificationSent":false,"sourceId":"258c9b0a-46f9-eb11-a846-000d3a6d3364"},{"cveNumber":"CVE-2021-36934","version":5.1,"revisionDate":"2021-08-12T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

Updated FAQ information. This is an informational change only.

\n","unformattedDescription":"Updated FAQ information. This is an informational change only.","notificationNeeded":false,"notificationSent":false,"sourceId":"cbd05ce7-b4fb-eb11-a846-000d3a6d3364"},{"cveNumber":"CVE-2021-36934","version":1.1,"revisionDate":"2021-07-20T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

Updated Workaround information. This is an informational change only.

\n","unformattedDescription":"Updated Workaround information. This is an informational change only.","notificationNeeded":false,"notificationSent":false,"sourceId":"56bfcf75-c9e9-eb11-a83c-000d3a6d35d9"},{"cveNumber":"CVE-2021-36934","version":4,"revisionDate":"2021-07-27T07:00:00Z","initialDate":"0001-01-01T00:00:00Z","description":"

The following revisions have been made: 1) Removed Windows Server versions from the Security Updates table as they are not affected by this vulnerability. 2) Updated the Workaround information with a Caution regarding restoring a system from backup.

\n","unformattedDescription":"The following revisions have been made: 1) Removed Windows Server versions from the Security Updates table as they are not affected by this vulnerability. 2) Updated the Workaround information with a Caution regarding restoring a system from backup.","notificationNeeded":false,"notificationSent":false,"sourceId":"a81666e9-1bef-eb11-a83c-000d3a6d35d9"}]}