CVE-2021–36934 Vulnerability remediation utilizing Microsoft Intune

On July 20th, 2021 Microsoft reported a new elevation of privilege vulnerability caused by some oversharing of permissions on multiple system files. One of those files was the Security Accounts Manager (SAM) database. As a lot of you know this database contains the password hashes for the asset at hand. You can read the full release from Microsoft here. The current remediation is to fix said permissions and delete any existing shadow copies.

Mitigation

Today were going to be utilizing Microsoft Intune and the wonderful proactive remediation feature to test machines for the vulnerability and if found guilty, Microsoft Intune will run the remediation script which in turn will fix the permissions to the system files, delete any shadow copies of the C:\ volume and create a new shadow copy of the C:\ volume.

Detection Script

$test = (icacls c:\windows\system32\config\sam | Select-String -Pattern "BUILTIN\Users" -SimpleMatch)
if ($test.length -gt 0) {
    write-host "Host is vulnerable"
    exit 1
}
write-host "Host is not vulnerable"
exit 0

Remediation script

try {
    #Fix permissions to the system files
    icacls c:\windows\system32\config\*.* /inheritance:e
    #delete shadow copies
    vssadmin delete shadows /for=c: /Quiet
    #let's re-create those shadows
    $class=[WMICLASS]"root\cimv2:win32_shadowcopy"
    $class.create("c:\", "ClientAccessible")
    Write-Host "Success"
    exit 0
} catch {
    $errMsg = $_.Exception.Message
    Write-Host $errMsg
    exit 1
}