Windows 10: Windows – CVE-2021-36934 Work around

Edward1991 · Jul 23, 2021

Hi Everyone,I hope someone can help me.I am currently working in a Windows environment with an Active Directory server managing several servers and workstations I am looking at implementing the work around for CVE-2021-36934 HiveNightmareWhat I am unsure about is how implementing this work around will affect an Active Directory serverI have been searching online but am unable to find an answer

:)

Brink · Jul 23, 2021

CVE-2021-36934 Windows Elevation of Privilege Vulnerability

Executive Summary

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

We will update this CVE with mitigations and workarounds as our investigation progresses.

FAQ

No versions of Windows are listed in the Security Updates table. Are all versions vulnerable?

So far, we can confirm that this issue affects Windows 10 version 1809 and newer client operating systems. We will update this CVE as we continue our investigation. If you wish to be notified when updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this CVE. See Microsoft Technical Security Notifications.

Read more: https://msrc.microsoft.com/update-gu...CVE-2021-36934

Brink · Jul 23, 2021

Clarified Guidance CVE-2021-34527 Windows Print Spooler Vulnerability

On Tuesday July 6, 2021, Microsoft issued CVE-2021-34527 regarding a Windows Print Spooler vulnerability. Updates were released on July 6 and 7 which addressed the vulnerability for all supported Windows versions. We encourage customers to update as soon as possible.

CVE-2021-34527 – Windows Print Spooler Remote Code Execution Vulnerability.

Following the out of band release (OOB) we investigated claims regarding the effectiveness of the security update and questions around the suggested mitigations.

Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare. All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.

Microsoft has focused its efforts on making customer protections available as quickly as possible and our guidance has been updated as our understanding of the issue has evolved. We recommend that customer follow these steps immediately:

In ALL cases, apply the CVE-2021-34527 security update. The update will not change existing registry settings

After applying the security update, review the registry settings documented in the CVE-2021-34527 advisory

If the registry keys documented do not exist, no further action is required

If the registry keys documented exist, in order to secure your system, you must confirm that the following registry keys are set to 0 (zero) or are not present:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint

NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)

UpdatePromptSettings = 0 (DWORD) or not defined (default setting)

For more in depth guidance, please see KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates and CVE-2021-34527.

If our investigation identifies additional issues, we will take action as needed to help protect customers.

The MSRC Team
Click to expand...

Source: https://msrc-blog.microsoft.com/2021...vulnerability/

Brink · Jul 23, 2021

Updates - TCP/IP:  CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086

Today Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074, CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term. We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month.

The DoS exploits for these CVEs would allow a remote attacker to cause a stop error. Customers might receive a blue screen on any Windows system that is directly exposed to the internet with minimal network traffic.

It is essential that customers apply Windows updates to address these vulnerabilities as soon as possible. If applying the update quickly is not practical, workarounds are detailed in the CVEs that do not require restarting a server. These three vulnerabilities are unique and require separate workarounds depending on the exposure of an affected system; however, they can be thought of in terms of Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) solutions.

The IPv4 workaround simply requires further hardening against the use of Source Routing, which is disallowed in Windows default state. This workaround is documented in CVE-2021-24074 and can be applied through Group Policy or by running a NETSH command that does not require a reboot. The IPv6 workarounds are documented in CVE-2021-24094 and CVE-2021-24086, and require blocking IPv6 fragments, which may negatively impact services with dependencies on IPv6.

Note: IPv4 Source Routing requests and IPv6 fragments can be blocked on an edge device, such as a load balancer or a firewall. This option can be used to mitigate systems with high-risk exposure and then allow the systems to be patched following their standard cadence.

These vulnerabilities were discovered by Microsoft as part of our continual focus on strengthening the security of our products. At this time, we have no evidence that these vulnerabilities were known to any third party. These vulnerabilities result from a flaw in Microsoft’s implementation of TCP/IP and affect all Windows versions. Non-Microsoft implementations are not affected.

It is important that affected systems are patched as quickly as possible because of the elevated risk associated with these vulnerabilities, and downloads for these can be found in the Microsoft Security Update Guide.  Customers who have automatic updates enabled are automatically protected from these vulnerabilities.

We recommend that you apply the updates released February 9, 2021 with priority to all of your Windows devices, as they address CVE-2021-24074, CVE-2021-24094 and CVE-2021-24086. Here is what you need to know:

If you are running a supported version of Windows and have automatic updates enabled, you are automatically protected and do not need to take any further action.

If you are managing updates on behalf of your organization, you should download the latest updates from the Microsoft Security Update Guide and apply those updates to your Windows devices as soon as possible.

If you are unable to apply updates right away, look at the CVEs for the workaround mitigations to use in the short term until you can deploy the updates.

If you are running an unsupported version of Windows, we recommend that you upgrade to the current version of Windows to benefit from the latest security protections.
Click to expand...

Source:

https://msrc-blog.microsoft.com/2021...ecting-tcp-ip/

https://docs.microsoft.com/en-us/win...ge-center#1556

Tweet

— Twitter API (@user) View on Twitter
Click to expand...

Windows 10: Windows – CVE-2021-36934 Work around

Windows – CVE-2021-36934 Work around

Windows – CVE-2021-36934 Work around

Windows – CVE-2021-36934 Work around

Windows – CVE-2021-36934 Work around - Similar Threads - – CVE 2021

KB5004442—Manage changes for Windows DCOM Server Security Feature Bypass CVE-2021-26414

Microsoft’s Response to CVE-2021-44228 Apache Log4j 2

Is Visual Studio affected by Apache Log4j Vulnerability, CVE-2021-44228?

CVE-2021-41379

CVE-2021-41379

Vulnerability CVE-2021-36934

PrintNightmare and CVE-2021-1675

Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527

Updates - TCP/IP:  CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086