Описание
Windows Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attacker must have the ability to execute code on a victim system to exploit this vulnerability.
After installing this security update, you must manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. Simply installing this security update will not fully mitigate this vulnerability. See KB5005357- Delete Volume Shadow Copies.
Обходное решение
We recommend installing this security update as soon as possible. If you must delay installation of this security update, we recommend this workaround:
Restrict access to the contents of %windir%\system32\config
Command Prompt (Run as administrator):
icacls %windir%\system32\config*.* /inheritance:e
Windows PowerShell (Run as administrator):
icacls $env:windir\system32\config*.* /inheritance:e
Delete Volume Shadow Copy Service (VSS) shadow copies
Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.
Create a new System Restore point (if desired).
Impact of workaround Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications. For more information on how to delete shadow copies, see KB5005357- Delete Volume Shadow Copies.
Note 1 You must restrict access and delete shadow copies to mitigate this vulnerability.
Note 2 Even after installing this security update, you must delete all shadow copies of your system volume to fully mitigate this vulnerability.
Caution Restoring your system from a backup could also restore the overly permissive ACLs, and therefore revert your system to a vulnerable state. After restoring a backup, you must verify that the ACLs are correct to ensure that the restore operation did not reintroduce this vulnerability.
FAQ
Why doesn't this security update fully mitigate this vulnerabilty?
Fully mitigating this vulnerability involves deleting shadow copies of user data. To avoid deleting data without users' consent, we have opted to allow users to delete their shadow copies themselves. See KB5005357- Delete Volume Shadow Copies.
Why doesn't this security update correct the ACLs on all files in %windir%\system32\config?
This security update corrects the ACLs on specific system files, including the SAM database, that would allow an attacker to elevate privileges. To avoid unexpected behavior, this security update does not correct the ACLs on every file in %windir%\system32\config.
I had manually corrected the ACLs on files in %windir%\system32\config and then deleted the shadow copies of my system volume. Do I need to delete the shadow copies again?
No. If you correctly applied the workaround before installing this security update, then you do not need to delete any shadow copies again.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Windows 10 Version 1809 for 32-bit Systems | ||
| Windows 10 Version 1809 for x64-based Systems | ||
| Windows 10 Version 1809 for ARM64-based Systems | ||
| Windows 10 Version 1909 for 32-bit Systems | ||
| Windows 10 Version 1909 for x64-based Systems | ||
| Windows 10 Version 1909 for ARM64-based Systems | ||
| Windows 10 Version 2004 for 32-bit Systems | ||
| Windows 10 Version 2004 for ARM64-based Systems | ||
| Windows 10 Version 2004 for x64-based Systems | ||
| Windows 10 Version 20H2 for x64-based Systems |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
DOS
EPSS
7.8 High
CVSS3
Связанные уязвимости
<p>An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.</p> <p>An attacker must have the ability to execute code on a victim system to exploit this vulnerability.</p> <p>After installing this security update, you <em>must</em> manually delete all shadow copies of system files, including the SAM database, to fully mitigate this vulnerabilty. <strong>Simply installing this security update will not fully mitigate this vulnerability.</strong> See <a href="https://support.microsoft.com/topic/1ceaa637-aaa3-4b58-a48b-baf72a2fa9e7">KB5005357- Delete Volume Shadow Copies</a>.</p>
Уязвимость операционных систем Windows, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить свои привилегии
EPSS
7.8 High
CVSS3