Opened security lock showing Windows vulnerability

HiveNightmare Windows Vulnerability Results in Local Privilege Escalation on Windows 10 & 11 and Windows Server 2019

Microsoft security researchers confirmed a zero-day vulnerability affecting Windows 10, Windows 11, and Windows Server 2019 operating systems.

Dubbed HiveNightmare or SeriousSAM, CVE-2021-36934 causes local privilege escalation allowing unprivileged users to access the registry, system files, and system passwords.

Despite the gravity of the vulnerability, Microsoft hasn’t released any security patches. However, the company published various workarounds that Windows users can implement ahead of the next patch Tuesday release.

This flaw is the third Windows vulnerability discovered within a month after the PrintNightmare and Windows Hello bugs.

Windows vulnerability grants limited users access to system files, registry, and the SAM database

Jonas Lykkegaard discovered the vulnerability first on the Windows 11 preview. He later established that the bug also existed in the previous version of the Windows operating system.

The Windows vulnerability allows non-administrators in the BUILTIN\Users group to access Windows system files, including the Security Account Manager (SAM), SYSTEM, and SECURITY Registry hive files.

These files reside in the windows system32 config directory and are only accessible to computer administrators. Additionally, the files are locked during operation to prevent unauthorized access or modification.

HiveNightmare windows vulnerability also allows unauthorized users to access the VSS shadow copy for system drives larger than 128GB. Shadow copies are enabled by default on these system drives. Similarly, installing windows updates or an MSI automatically creates shadow copies.

According to CERT, attackers could perform various actions if the volume shadow copy service of the system drive is available. They could access account password hashes and discover the original Windows installation password. And they could retrieve the DPAPI computer keys for decrypting all computer private keys. An attacker could also access the computer machine account and use it to execute silver ticket attacks.

The elevation of privilege vulnerability allows the installation of malicious programs, data access, and creating new accounts with full user privileges by limited users.

All versions of Windows 10 (809, 1909, 2004, 20H2, and 21H1), Windows 11, and Windows Server 2019 suffer from the HiveNightmare vulnerability.

Microsoft attributed the Windows vulnerability to “overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database.”

“Zero-day attacks continue to be among the most alarming for enterprise security analysts,” Saryu says Nayyar, CEO, Gurucul. “Not only do they have to determine that an attack is occurring, but also how the attack is happening, and how to remediate it and not knowing when a fix may become available makes it even more stressful.”

Nayyar advises organizations to “supplement their security practices with ongoing analytics to observe and respond to anomalous user or network behaviors.”

Microsoft released workarounds for the HiveNightmare Windows vulnerability

Windows users can determine if they are vulnerable by typing icacls %windir%\system32\config\sam on the command prompt.Users whose outputs contain the BUILTIN\Users:(I)(RX) result are affected by the HiveNightmare windows vulnerability.

Microsoft recommended restricting access to %windir%\system32\config using the command prompt. Users can achieve this by typing the command: icacls %windir%\system32\config\*.* /inheritance:e.

Microsoft also directed users to delete Volume Shadow Copy Service (VSS) copies and also delete any system restore points. Users can then safely recreate restore points after securing their systems using Microsoft recommended mitigations.

Commenting on HiveNightmare windows vulnerability Doug Britton, CEO, Haystack Solutions said:

“Securing networks is akin to balancing spinning plates. System administrators rely on admin rights and privileges as the first line of security and basic defense. The HiveNightmare bug is a significant threat to a fundamental aspect of network administration and the basic system functions we all rely on.”