HiveNightmare

Microsoft earlier today released a temporary workaround solution for systems that are vulnerable to the newly found HiveNightmare security flaw. The vulnerability was discovered by Twitter user 'Jonas L' and also verified by another user '@GossiTheDog' who noticed that the Windows Security Account Manager (SAM) database – that contains all important passwords and keys – was now apparently accessible by non-admin users. This is why the new flaw is called SeriousSAM or HiveNightmare as it gives an attacker access to SAM, SYSTEM, and SECURITY registry hive files.

The problem was first introduced when Microsoft released the recent KB5004605 update that added Advanced Encryption Standard (AES) encryption and all OS versions starting from Windows 10 build 1809, including the latest Windows 11 Insider Preview Build 22000.71 are exploitable.

Microsoft has acknowledged the vulnerability in the new CVE dubbed 'CVE-2021-36934' and has provided the following workaround:

  • Restrict access to the contents of %windir%\system32\config
    • Open Command Prompt or Windows PowerShell as administrator.

    • Run this command:
      icacls %windir%\system32\config\*.* /inheritance:e

  • Delete Volume Shadow Copy Service (VSS) shadow copies

    • Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config

    • Create a new System Restore point (if needed)

For those wondering if their system may be vulnerable to this exploit, most computers that have OS drives bigger than 128GB likely generate VSS shadow copies which can be exploited by an attacker. For those who wish to be sure if their system has created VSS files and whether their computer is exploitable, the CERT has provided an excellent guide to check how.

Source: Microsoft via Forbes