That is not correct. The attack is based on the "Pass-the-Hash" method:
A Pass-the-Hash (PtH) attack is a technique whereby an attacker captures a password hash (as opposed to the password characters) and then simply passes it through for authentication and potentially lateral access to other networked systems.
While Microsoft has published CVE-2021-36934 about this issue, the CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workaround:
Restrict access to sam, system, and security files and remove VSS shadow copies
Vulnerable systems can remove the Users ACL to read these sensitive files by executing the following commands:
CVE-2021-36934 has been released to track an issue that a researcher has stumbled on … and it’s honestly been around for a while. Starting with Windows 10 1809 and later, the default permissions on the “Security accounts manager database” (also known as SAM database) aren’t set right and if you are a non administrator user where you shouldn’t have the ability to access that file, in Windows 10 1809 and later you DO have rights to that file.
While on consumer and home computers this isn’t a huge issue, in businesses where keeping ransomware at bay is near impossible these days, it’s not a good thing at all.
Bleeping computer explains the situation…. “With these low file permissions, a threat actor with limited privileges on a device can extract the NTLM hashed passwords for all accounts on a device and use those hashes in pass-the-hash attacks to gain elevated privileges.”
The SANS site tells how specifically this vulnerability takes place….“The only issue here is how do we read those files: when Windows are running, the access to the files is locked and even though we have read permission, we won’t be able to read them. As two great researchers found (@jonasLyk and @gentilkiwi), we can actually abuse Volume Shadow Copy to read the files. VSS will allow us to bypass the file being locked, and since we have legitimate read access, there’s nothing preventing us from reading the file. VSS is a feature that is enabled automatically on Windows and that allows us to restore previous copies in case something got messed up during installation of a new application or patch, for example. If your system disk is greater than 128 GB, it will be enabled automatically!”
Action items to take as a consumer: Nothing. The potential mitigation “apart from disabling/removing VSS copies. Keep in mind that the permission on the hives will still be wrong, but at least a non-privileged user will not be able to easily fetch these files due to them being locked by Windows as the system is running.” to me is not viable and puts your system at risk for not being able to use previous versions tab, backups and other goodness. I’d rather not change any permissions because given that this has been in place since 1809, software may be expecting these permissions. I’ll let you know when a patch or fix comes out, or a mitigation that I consider safe.
Actions to take as an IT Pro or MSP: Also nothing at this time. Again, I consider VSS copies too important to disable.
Although this vulnerability does not allow the attacker to get higher privileges in the Home environment, the fact of the Read access to SAM database is not good for the Home users too. Most NTLM hashes can be easily cracked by using some known tools (they use precomputed tables of hashes related to password wordlists).
Anyway, It seems that Microsoft accounts are not vulnerable.
The Home users who created untypical login passwords can sleep soundly too. The vulnerability is so dangerous for Enterprises that it will be patched by Microsoft soon.