Jonas Lyk, a cybersecurity specialist, reported the discovery of a critical vulnerability in Windows 10 systems whose exploitation would allow threat actors to gain high privileges and even steal user passwords. The expert mentions that the vulnerability lies in the signature in which the operating system grants access to its configuration files.
The flaw was dubbed “SeriousSAM”, in reference to the signature in which Windows 10 controls access to folders such as SAM, SECURITY, and SYSTEM. These are important folders on the system, as they contain information such as hashed passwords for all user accounts on the system, as well as security settings, encryption keys, and other sensitive details.
Malicious hackers with access to these files could extract sensitive information in order to access passwords and other details for malicious purposes. Given the information stored in these directories, only a Windows administrator account could interact with these files.
The researcher found the vulnerability while analyzing a trial version of Windows 11. In his report, Lyk mentions that while Windows restricts access to sensitive configuration files only to users with high privileges, copies of these files are also saved in backup files due to the work of Shadow Volume Copy, a system feature that creates logs of the files.
Persistent threat actors on affected systems could abuse this flaw to gain full control over the latest versions of Windows, released over the past three years. The main risk is the potential access to the Security Account Manager (SAM) configuration file, as this action will allow hackers to steal hashed passwords and hijack vulnerable accounts.
It should be noted that other configuration files stored in vulnerable folders could also generate information subject to cyberattack attempts, including DPAPI encryption keys and administrator account details.
In its security alert, Microsoft acknowledges the presence of the vulnerability, which received the CVE-2021-36934 tracking key. The company also recommends removing from the operating system all backups set by Shadow Volume to mitigate the risk of exploitation.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.