Workaround for Windows 10 and 11 HiveNightmare Windows Elevation of Privilege Vulnera

[harlan4096]

Earlier this week, security researchers discovered a vulnerability in recent versions of Microsoft's Windows operating system that allows attackers to run code with system privileges if exploited successfully.

Overly permissive Access Control Lists (ACLs) on some system files, including the Security Accounts Manager (SAM) database, are causing the issue.

An article on CERT provides additional information. According to it, the BUILTIN/Users group is given RX permission (Read Execute) to files in %windir%\system32\config.

If Volume Shadow Copies (VSS) are available on the system drive, unprivileged users may exploit the vulnerability for attacks that may include running programs, deleting data, creating new accounts, extracting account password hashes, obtain DPAPI computer keys, and more.

According to CERT, VSS shadow copies are created automatically on system drives with 128 Gigabytes or more storage space when Windows updates or MSI files are installed.

Administrators may run vssadmin list shadows from an elevated command prompt to check if shadow copies are available.

Microsoft acknowledged the issue in CVE-2021-36934, rated the severity of the vulnerability as important, the second highest severity rating, and confirmed that Windows 10 version 1809, 1909, 2004, 20H2 and 21H1, Windows 11, and Windows Server installations are affected by the vulnerability.

Test if your system may be affected by HiveNightmare

1. Use the keyboard shortcut Windows-X to display the "secret" menu on the machine.
   
2. Select Windows PowerShell (admin).
   
3. Run the following command: if ((get-acl C:\windows\system32\config\sam).Access | ? IdentityReference -match 'BUILTIN\\Users' | select -expandproperty filesystemrights | select-string 'Read'){write-host "SAM maybe VULN" }else { write-host "SAM NOT vuln"}
   

If "Sam maybe VULN" is returned, the system is affected by the vulnerability (via Twitter user Dray Agha)

Here is a second option to check if the system is vulnerable to potential attacks:

1. Select Start.
   
2. Type cmd
   
3. Select Command Prompt.
   
4. Run icacls %windir%\system32\config\sam
   

A vulnerable system includes the line BUILTIN\UsersI)(RX) in the output. Non-vulnerable system will display an "access is denied" message.

Workaround for the HiveNightmare security issue

Microsoft published a workaround on its website to protect devices against potential exploits.

Administrators may enable ACL inheritance for files in %windir%\system32\config according to Microsoft.

1. Select Start
   
2. Type cmd.
   
3. Pick Run as administrator.
   
4. Confirm the UAC prompt.
   
5. Run icacls %windir%\system32\config\*.* /inheritance:e
   
6. vssadmin delete shadows /for=c: /Quiet
   
7. vssadmin list shadows
   

Command 5 enables ACL interheritance. Command 6 deletes shadow copies that exist and Command 7 verifies that all shadow copies have been deleted.

Now You: is your system affected?
...

Continue Reading