Windows 10 vulnerability CVE 2021-36934 (TESTING) v2
Log In or Register to download the BES file, and more.

0 Votes

Versioning - This is the latest version.

1Windows 10 vulnerability CVE 2021-36934 (TESTING)7/21/2021 10:13:29 AM
2Windows 10 vulnerability CVE 2021-36934 (TESTING) v27/23/2021 5:54:11 AM

Description

Windows 10 Elevation of Privilege Vulnerability

CVE 2021-36934

SAM hives readable by everyone account as of Windows 10 (1809)
Current Fixlet relevance includes Windows 10 without limiting to (1809)

Deletes all VSS Shadow copies, as recommended by Microsoft.

Added Windows Server 2019 to relevance after udpates to the Microsoft guidance

 

Please test well before using as this is BigFix.me community content


Property Details

ID26867
StatusBeta - Preliminary testing ready for more
TitleWindows 10 vulnerability CVE 2021-36934 (TESTING) v2
DomainBESC
SourceAlpha BigFix.me community content
Source Release Date7/21/2021 12:00:00 AM
CVENamesCVE 2021-36934
Keywordsalpha test vulnerability SAM
Added by on 7/23/2021 5:54:11 AM
Last Modified by on 7/23/2021 5:54:11 AM
Counters 802 Views / 27 Downloads
User Rating 1 star 2 star 3 star 4 star 5 star * Average over 0 ratings. ** Log In or Register to add your rating.

Relevance

isWindows (Relevance 1172)
Used in 1142 fixlets and 537 analyses   * Results in a true/false
Show indented relevance
windows of operating system
Used in 2 fixlets   * Results in a true/false
Show indented relevance
exists files "config/SAM" whose (exists entries whose (account name of trustee of it = "Users" and generic read permission of it and not deny type of it) of dacls of security descriptors of it) of native system folder
Used in 1 fixlet   * Results in a true/false
Show indented relevance
name of operating system = "Win10" OR name of operating system = "Win2019"

Actions

Action 1 (default)

Action Link Click here to deploy this action.
Script Type BigFix Action Script
//redirect to 64 bit versions
action uses wow64 redirection false

//icacls command to add inheritance to current permissions
waithidden cmd.exe /C icacls.exe "{pathname of windows folder}\system32\config\*.*" /inheritance:e

//delete prior VSS shadow copies
waithidden cmd.exe /C vssadmin delete shadows /all /quiet
Success Criteria

This action will be considered successful when the applicability relevance evaluates to false.

Action 2

Action Link Click here  for vunlerability information from Microsoft
Script Type URL
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934
    

Action 3

Action Link Click here to information about VSSAdmin to delete shadow copies
Script Type URL
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/vssadmin-delete-shadows
    

Action 4

Action Link Click here to review this task in the bigfix.me Content Database.
Script Type URL
https://bigfix.me/cdb/fixlet/26866
    

Sharing

Social Media:
Share this page on Yammer

Comments

Log In or Register to leave comments!
wally121 -
This doesn't work for me. I don't get it. all of the relevance work in QNA but when fails when taking action. any thoughts?
brolly33 -
Thanks @michaell Looks like MS added Server 2019 to the list of effected systems, so I updated the relevance to include it.
michaell -
Tested it and it's working just as hoped and expected. Thanks!