Hello, welcome to the Thursday, July 22nd, 2021 edition of the Santernut Storm Center's Stormcast. My name is Johannes Ulrich. And then I'm recording from Jacksonville, Florida. Well, we got some guidance from Microsoft now regarding the summer of Sam vulnerability. First of all, there's now a proper CVE number, 2021, 36, 93, 4. And Microsoft

also published some help as to how to avoid this problem. First of all, of course,

they need to adjust permissions for the affected directory and the important part is also the inheritance

so any files in that system 32 config directory will have the correct permissions.

Apparently in 2018 Microsoft did publish a patch that prevented these files from being backed up in securely,

and as part of that patch, the permissions were altered, or the inheritance part, was altered on these directories,

which then led to this vulnerability.

All versions, Windows 10809, then led to this vulnerability.

All versions, Windows 10809, that's the 2018 version, and later are affected, but Windows

server again not affected.

Microsoft states as part of the Knowledge-Based article that they're still investigating if other versions may be affected as well.

And after you adjust the permissions, then you do need to delete any system restore points and shadow volumes from before you adjusted the permissions.

Then of course after you're done with that, create a new system restore point.

So in case something goes back a little bad later, you can at least recover to the post-fix

restore point.

Now there were some questions about what made this particular issue such a big problem.

In Linux, we do have our shadow file.

It's similarly restricted in the sense that only route can access it.

That's where you typically find the hash, the system passwords.

One of the issues with Windows is that

hashing still well uses NTLM, essentially MD4. So brute forcing or

reversing these hashes is much simpler than what you would find in a modern

...