Description:

Microsoft has released a security alert to address a vulnerability in the following products:

• Windows Server, version 20H2 (Server Core Installation)
• Windows 10 Version 20H2 for ARM64-based Systems
• Windows 10 Version 20H2 for 32-bit Systems
• Windows 10 Version 20H2 for x64-based Systems
• Windows Server, version 2004 (Server Core installation)
• Windows 10 Version 2004 for x64-based Systems
• Windows 10 Version 2004 for ARM64-based Systems
• Windows 10 Version 2004 for 32-bit Systems
• Windows 10 Version 21H1 for 32-bit Systems
• Windows 10 Version 21H1 for ARM64-based Systems
• Windows 10 Version 21H1 for x64-based Systems
• Windows 10 Version 1909 for ARM64-based Systems
• Windows 10 Version 1909 for x64-based Systems
• Windows 10 Version 1909 for 32-bit Systems
• Windows Server 2019 (Server Core installation)
• Windows Server 2019
• Windows 10 Version 1809 for ARM64-based Systems
• Windows 10 Version 1809 for x64-based Systems
• Windows 10 Version 1809 for 32-bit Systems

Threats:

Attacker could exploit this vulnerability by escalating their privilege.

Best practice and Recommendations:

The CERT team encourages users to review Microsoft security advisory:

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934

Microsoft also recommends the following:

1. Restrict access to the contents of %windir%\system32\config

• Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e
• Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e

1. Delete Volume Shadow Copy Service (VSS) shadow copies

• Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
• Create a new System Restore point (if desired).