Windows 10 vulnerability CVE 2021-36934 (TESTING) - superseded
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is an older version.

1Windows 10 vulnerability CVE 2021-36934 (TESTING)7/21/2021 10:13:29 AM
2Windows 10 vulnerability CVE 2021-36934 (TESTING) v27/23/2021 5:54:11 AM

Description

Windows 10 Elevation of Privilege Vulnerability

CVE 2021-36934

SAM hives readable by everyone account as of Windows 10 (1809)
Current Fixlet relevance includes Windows 10 without limiting to (1809)

Deletes all VSS Shadow copies, as recommended by Microsoft.

 

Please test well before using as this is BigFix.me community content


Property Details

ID26866
StatusAlpha - Code that was just developed
TitleWindows 10 vulnerability CVE 2021-36934 (TESTING)
DomainBESC
SourceAlpha BigFix.me community content
Source Release Date7/21/2021 12:00:00 AM
CVENamesCVE 2021-36934
Keywordsalpha test vulnerability SAM
Added by on 7/21/2021 10:13:29 AM
Last Modified by on 7/21/2021 10:13:29 AM
Counters 268 Views / 11 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 1 rating. ** Log In or Register to add your rating.

Relevance

isWindows (Relevance 1172)
Used in 1135 fixlets and 535 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 1 fixlet   * Results in a true/false
Show indented relevance
name of operating system = "Win10"
Used in 2 fixlets   * Results in a true/false
Show indented relevance
exists files "config/SAM" whose (exists entries whose (account name of trustee of it = "Users" and generic read permission of it and not deny type of it) of dacls of security descriptors of it) of native system folder

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
//redirect to 64 bit versions
action uses wow64 redirection false

//icacls command to add inheritance to current permissions
waithidden cmd.exe /C icacls.exe "{pathname of windows folder}\system32\config\*.*" /inheritance:e

//delete prior VSS shadow copies
waithidden cmd.exe /C vssadmin delete shadows /all /quiet
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Action Link Click here  for vunlerability information from Microsoft
Script Type URL
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934
    

Action 3

Action Link Click here to information about VSSAdmin to delete shadow copies
Script Type URL
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-delete-shadows
    

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
brolly33 -
Thanks @michaell Looks like MS added Server 2019 to the list of effected systems, so I updated the relevance to include it.
michaell -
Tested it and it's working just as hoped and expected. Thanks!