Windows "HiveNightmare" bug could expose system files to non-admin users

3 years ago 355

An attacker who exploits this flaw could use system privileges to install programs, view or delete data, and create accounts with full user rights.

Another day, another Windows bug. Following a string of recent flaws discovered in Windows, the latest vulnerability dubbed "HiveNightmare" could allow someone to compromise your system by exploiting a security weakness that affects the Registry. At this point, no patch is available to fix the flaw; instead Microsoft is offering a series of workarounds designed to protect your computer from this new dilemma.

SEE: Checklist: Securing Windows 10 systems (TechRepublic Premium)

Specifically, HiveNightmare (also known as SeriousSAM) lets non-admin users access the contents of different Windows system files, including the Security Account Manager (SAM), SYSTEM, and SECURITY Registry hive files. Located in the system32\config directory, the SAM is home to such critical data as user accounts and passwords, so normally it's accessible only to privileged accounts and processes and locked when in use.

In its description of the bug (CVE-2021-36934), Microsoft said that attackers who exploit the flaw could acquire system privileges to install programs, view or delete data, and create accounts with full user rights. The vulnerability affects all versions of Windows 10, including 1809, 1909, 2004, 20H2 and 21H1, as well as Windows Server 2019.

Microsoft blamed this weakness on overly permissive Access Control Lists for multiple system files. In its own vulnerability note, CERT explained that non-administrative users are granted RX (Read and Execute) access to files in the system32\config directory. Beyond the possible impact described by Microsoft, CERT said that if a Volume Shadow Copy Service of the system drive is available, a non-privileged user could also perform the following actions:

Extract and leverage account password hashes.
Discover the original Windows installation password.
Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
Obtain a computer machine account, which can be used in a silver ticket attack.

Noting that the flaw was uncovered by Twitter user Jonas L and verified by another account known as @GossiTheDog, tech news site Neowin reported that the vulnerability popped up when Microsoft rolled out the recent KB5004605 update, which added Advanced Encryption Standard encryption for certain password operations in Windows.

SEE: Photos: Windows 11 features you need to know (TechRepublic)

Microsoft tagged the HiveNightmare vulnerability as Important, one step below Critical, and assessed its status as "Exploitation More Likely," which means it would be an attractive target for attackers and therefore more likely that exploits could be created.

To see if your computer is susceptible to the flaw, CERT suggests opening a command prompt and typing the following: icacls %windir%\system32\config\sam. If the output includes an entry for BUILTIN\Users:(I)(RX), then your system is vulnerable.

No patch is yet available for this flaw, prompting Microsoft and CERT to suggest the following workarounds for any individual or organization worried about this hole being exploited.

Open a Command Prompt as an administrator. Type the following command: icacls %windir%\system32\config\*.* /inheritance:e
Delete any System Restore points and Shadow volumes that you created before restricting access to %windir%\system32\config. To delete the shadow volumes, type the following command: vssadmin delete shadows /for=c: /Quiet
Finally, create a new System Restore point (if desired).