BLOG 22 July 2021
It’s been only three weeks since the PrintNightmare debacle, which introduced several zero-days into the world of Microsoft affecting all Windows Operating Systems. Since my blog post on this mitigation, several other zero-days related to print spoolers have also appeared.
While the PrintNightmare issue is still very active, a new zero-day vulnerability has appeared, this time affecting multiple Windows system files which have received the wrong permissions. This issue has been in every version of Windows since the past three years, but has only been discovered this week. Microsoft has attributed the CVE ID CVE-2021-36934 to this vulnerability on the 20th of July and acknowledged the issue. An emergency patch is expected to be released in the coming days/weeks.
A lot of great people within the InfoSec community have been researching this issue. A member of the community, Kevin Blaumont, has created a POC for this exploit and also provided a mitigation script. If you want to know more about the exploit and POC, be sure to check out his blog.
The mitigation, which is documented on the Microsoft MSRC site, consists of two steps:
Mitigation Scripts
Kevin has provided a remediation script on GitHub which executes these steps on Windows computers. I have updated the script with the following modifications:
Both scripts can be found below and on our GitHub repository. In the next section of the blog, we’ll go over deploying these scripts with Microsoft Endpoint Manger.
Detection
$LocalBuiltInUsersGroupName = (Get-Localgroup -SID S-1-5-32-545).Name
$checkPermissions = icacls c:\Windows\System32\config\sam
if ($checkPermissions -like "*$($LocalBuiltInUsersGroupName):(I)(RX*)*") {
Write-Host "Computer is vulnerable"
Exit 1
}
else {
Write-Host "Computer is not vulnerable"
Exit 0
}
Remediation
$SystemRestoreEnabledRegPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore"
$SystemRestoreEnabledRegKey = "RPSessionInterval"
$SystemRestoreEnabledRegValue = 0
$LocalBuiltInUsersGroupName = (Get-Localgroup -SID S-1-5-32-545).Name
#Execute mitigation
icacls c:\windows\system32\config\*.* /inheritance:e
vssadmin delete shadows /quiet /all
#check permissions
$checkPermissions = icacls C:\windows\system32\config\sam
if ($checkPermissions -like "*$($LocalBuiltInUsersGroupName):(I)(RX*)*") {
$permissionsSucces = $false
write-host "ACL change failed. Check permissions running script, e.g. run as SYSTEM."
}
else {
$permissionsSucces = $true
Write-Host "Successfully reset permission inheritance on affected files."
}
#check shadow
$checkShadow = Get-WmiObject Win32_ShadowStorage -Property UsedSpace | Select-Object -ExpandProperty UsedSpace
if (0 -eq $checkShadow) {
$shadowSucces = $true
Write-Host "Successfully deleted old volume shadow copies."
}
else {
$shadowSucces = $false
write-host "Shadow deletion failed. Security software may be blocking this action or check running permissions."
}
#check if fixed logic
if ($permissionsSucces -eq $true -and $shadowSucces -eq $true) {
$fixed = $true
}
else {
$fixed = $false
}
#create new shadow
$ShadowEnabled = $false
if((Get-ItemProperty -Path $SystemRestoreEnabledRegPath -Name $SystemRestoreEnabledRegKey).$SystemRestoreEnabledRegKey -eq 1){
$ShadowEnabled = $true
}
if ($shadowSucces -eq $true -and $permissionsSucces -eq $true -and $ShadowEnabled -eq $true) {
wmic shadowcopy call create Volume='C:\'
}
#output data
Write-host "Fixed: $fixed"
Mitigation with MEM
To deploy these scripts with Microsoft Endpoint Manager, we can use Proactive Remediations. Proactive remediations consists out of two scripts: a detection and remediation. If the detection has an exit code of 1, the remediation script will run.
To implement the scripts, navigate to the MEM portal > Reports > Endpoint Analytics > Proactive remediations and select Create script package at the top of the page.
Upload both the detection and remediation script and select ‘Run script in 64-bith Powershell’ to Yes. Select Next to continue.
The final configuration is the assignment of the script. It’s recommended to deploy the script to your canary ring first and then expand coverage to all of your devices.
To finish the deployment select Next and click Create. Your devices will now executes these scripts based on the schedule. If a device is not vulnerable, only the detection script will run.
Disclaimer
These scripts are provided without any guarantees. Before deploying these scripts validate them in your test environment or get in touch for assistance.
Microsoft 365 Consultant
Focus
Bio
The Collective is a highly-skilled Microsoft partner with expertise in security, compliance, endpoint management, messaging, and Microsoft Teams voice and meetings.
© The Collective - BE 0726.449.826 - Privacy Policy - Cookies
The Collective may use particular information for the purposes described below. To adjust your preferences, or to learn more about who is requesting your authorization, simply click on a purpose.
Please note that without some sort of bravery, meaning if all of these purposes are declined, this may have a negative effect on certain functions of the website.
These cookies ensure the optimal functionality of our website. They are enabled by default and cannot be adjusted, because without them, we cannot guarantee that you can use our site without errors. SorryNotSorry.
This cookie makes sure we don’t have to bother you EVERY. SINGLE. TIME. you come on our website. Your cookie settings shall be remembered. Forever. Well, for one year that is. So in exactly one year from this date we will ask your permission again. Care to test this out?
Cookie lasts: 1 year
Cookie name: accepted_cookies
Simply put: we remember what categories you have enabled, so we will enable only those for your convenience.
Cookie lasts: 1 year
Cookie name: cookies_allowed_categories
No matter what others may say. You are magnificent. We get that. We don’t want to know who you are… You are you. We only want to make your experience better. Everytime. This cookie keeps track of what content on our website is liked and what not. So we can adjust things accordingly.
Cookie lasts: Current session
Cookie name: laravel_session
This cookie gives each visitor a unique number. This is a unique value sent by the server to indicate that the you are indeed receiving data from the actual server, and is not on an opposing site. This is to ensure the security of the data entered.
Cookie lasts: Current session
Cookie name: XSRF-TOKEN
These cookies help us to get to know your interests and preferences better. This allows us to better tailor the information on our website to what interests you.
These statistics give us an insight into how often our website is visited, where visitors spend the most time, and so on. This enables us to make the structure, navigation and content of the website as user-friendly as possible for you.
You can share the articles and videos that you view on our website via social media by means of buttons. To enable these functions, cookies are placed by third parties. In this way, social network channels can recognize you the moment you want to share an article or video. Information about how these companies collect and use your information
can be found in their privacy and cookie policies.