SeriousSAM bug impacts all Windows 10 versions released in the past 2.5 years

A security researcher has discovered a major vulnerability in the Windows 10 operating system that can allow threat actors to gain access to elevated privileges and user accounts passwords.

Discovered by Jonas Lyk over the weekend, the vulnerability resides in how Windows 10 grants access to some OS configuration files.

In particular, the vulnerability, nicknamed SeriousSAM, refers to how Windows 10 controls who can access folders like SAM, SECURITY, and SYSTEM.

C:\Windows\System32\config\sam
C:\Windows\System32\config\security
C:\Windows\System32\config\system

These are important Windows folders because they fold information such as hashed passwords for all Windows user accounts, security-related settings, data about encryption keys, and other core OS configuration details.

A threat actor who can read files from these locations can extract crucial information that can allow them to gain access to user passwords and system settings that can be abused for malicious purposes.

Because of the sensitive data they store, only Windows admin accounts are allowed to interact with these configuration files.

Bug discovered by accident while testing Windows 11

However, while testing the upcoming Windows 11 release, Lyk discovered that while Windows was restricting low-privileged users from accessing those sensitive configuration files, copies of these files were also being saved in backup files created by Shadow Volume Copy, a Windows feature that creates snapshots of computer files during filesystem operations.

While in older Windows OS versions, access to these files was restricted in the Shadow Volume Copy feature, Lyk and other researchers[123] discovered that since Windows 10 v1809, released in November 2018, Microsoft has been failing to block access to these configuration files in Shadow Volume Copy backups.

This meant that malware or threat actors who gained a foothold on Windows 10 systems could abuse the SeriousSAM vulnerability to gain full control over Windows versions released over the past 2.5 years.

Threat actors gaining access to the Security Account Manager (SAM) configuration file is considered the biggest issue, as this could allow them to steal hashed passwords, cracked the hashes offline, and hijack accounts.

However, the other configuration files stored in the SYSTEM and SECURITY folders can also yield similarly dangerous data, such as DPAPI encryption keys and Machine Account details (data used in joining computers to Active Directories).

No patch available

In a security advisory published today, Microsoft formally acknowledged the issue, which the company is currently tracking as CVE-2021-36934.

Currently, the OS maker recommended deleting all Shadow Volume Copy backups as a temporary mitigation.

Security researcher Kevin Beaumont has published proof-of-concept code to allow sysadmins to test which of their systems are vulnerable to SeriousSAM attacks.

Article updated at 6am ET with Microsoft's mitigations.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.