SECURITY GUIDANCE – Unpatched Privilege Escalation vulnerabilities in Windows

Security Guidance: Thursday 22nd July 2021

What is it?

Microsoft have recently patched a series of vulnerabilities in the Print Spooler service including a remote code execution vulnerability. Unfortunately, the patch they released does not provide a complete fix and a local privilege escalation (or “Make-Me-Admin”) vulnerability remains.

While investigating those vulnerabilities, researchers have also found an Access Control List (ACL) misconfiguration in some builds of Windows which could let a local user read the registry hive files.

What is the impact?

We have advised customers to disable the Print Spooler service where not required to mitigate the risk from PrintNightmare.

Using the ACL misconfiguration, a local unprivileged user may still be able to obtain password hashes or increase their level of access on the network.

Are my systems vulnerable?

You can test the ACL for a user account by running

icacls %windir%\system32\config\sam

On a vulnerable system the response will contain

Successfully processed 1 files; Failed processing 0 files

Otherwise the response should be

C:\Windows\system32\config\sam: Access is denied.

Successfully processed 0 files; Failed processing 1 files

How do I mitigate this threat?

There’s no known, effective fix at this time. We’re waiting on Microsoft to release more information.

Further Information

CVE-2021-36934

Microsoft Windows 10 gives unprivileged user access to system32\config files