Microsoft has issued a security notice regarding a vulnerability (CVE-2021-36934) that allows a local authenticated attacker to achieve local privilege escalation.
This vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files including Security Account Manager (SAM) database, SYSTEM, and SECURITY registry hive files in Windows 10 version 1809 and newer client operating systems.
A local authenticated attacker may be able to achieve local privilege escalation (LPE) on a vulnerable system with at least one Volume Snapshot Service (VSS) shadow copy of the system drive. They may also exploit other security weaknesses on the vulnerable system, including but not limited to:
- Extract and leverage account password hashes
- Discover the original Windows installation password
- Obtain Data Protection Application Programming Interface (DPAPI) computer keys that can be used to decrypt all computer private keys
- Obtain a computer machine account that can be used in a Kerberos Silver Ticket attack
Microsoft is currently investigating this vulnerability. Users of affected products should refer to Microsoft's website regularly for updates and recommended actions.
More information is available here: