Windows "HiveNightmare" bug could expose system files to non-admin users

An attacker who exploits this flaw could use system privileges to install programs, view or delete data, and create accounts with full user rights.

security.jpg

iStock/weerapatkiatdumrong

Another day, another Windows bug. Following a string of recent flaws discovered in Windows, the latest vulnerability dubbed "HiveNightmare" could allow someone to compromise your system by exploiting a security weakness that affects the Registry. At this point, no patch is available to fix the flaw; instead Microsoft is offering a series of workarounds designed to protect your computer from this new dilemma.

SEE: Checklist: Securing Windows 10 systems (TechRepublic Premium)

Specifically, HiveNightmare (also known as SeriousSAM) lets non-admin users access the contents of different Windows system files, including the Security Account Manager (SAM), SYSTEM, and SECURITY Registry hive files. Located in the system32\config directory, the SAM is home to such critical data as user accounts and passwords, so normally it's accessible only to privileged accounts and processes and locked when in use.

In its description of the bug (CVE-2021-36934), Microsoft said that attackers who exploit the flaw could acquire system privileges to install programs, view or delete data, and create accounts with full user rights. The vulnerability affects all versions of Windows 10, including 1809, 1909, 2004, 20H2 and 21H1, as well as Windows Server 2019.

Microsoft blamed this weakness on overly permissive Access Control Lists for multiple system files. In its own vulnerability note, CERT explained that non-administrative users are granted RX (Read and Execute) access to files in the system32\config directory. Beyond the possible impact described by Microsoft, CERT said that if a Volume Shadow Copy Service of the system drive is available, a non-privileged user could also perform the following actions:

  • Extract and leverage account password hashes.
  • Discover the original Windows installation password.
  • Obtain DPAPI computer keys, which can be used to decrypt all computer private keys.
  • Obtain a computer machine account, which can be used in a silver ticket attack.

Noting that the flaw was uncovered by Twitter user Jonas L and verified by another account known as @GossiTheDog, tech news site Neowin reported that the vulnerability popped up when Microsoft rolled out the recent KB5004605 update, which added Advanced Encryption Standard encryption for certain password operations in Windows.

SEE: Photos: Windows 11 features you need to know (TechRepublic) 

Microsoft tagged the HiveNightmare vulnerability as Important, one step below Critical, and assessed its status as "Exploitation More Likely," which means it would be an attractive target for attackers and therefore more likely that exploits could be created.

"Microsoft likely rated this as important versus critical because it requires an attacker to already be on a network to exploit," said Josh Smith, cyber threat analyst for Threat Intelligence and Rapid Response at Nuspire. "It is a local privilege escalation. With that, it is easily exploitable and affects Windows 10 version 1809 and newer. Organizations should take this seriously as if an attacker gains foothold into a network, they can create admin accounts, install programs, and modify data."

To see if your computer is susceptible to the flaw, CERT suggests opening a command prompt and typing the following: icacls %windir%\system32\config\sam. If the output includes an entry for BUILTIN\Users:(I)(RX), then your system is vulnerable.

No patch is yet available for this flaw, prompting Microsoft and CERT to suggest the following workarounds for any individual or organization worried about this hole being exploited.

  1. Open a Command Prompt as an administrator. Type the following command: icacls %windir%\system32\config\*.* /inheritance:e
  2. Delete any System Restore points and Shadow volumes that you created before restricting access to %windir%\system32\config. To delete the shadow volumes, type the following command: vssadmin delete shadows /for=c: /Quiet
  3. Finally, create a new System Restore point (if desired).

Microsoft's next step will likely be to create a patch to fix this flaw. But Smith said he doesn't expect to see an out-of-band patch unless proof of mass exploitation becomes public. If so, that means we may have to wait until Aug. 10 (Microsoft's next Patch Tuesday) for a fix.

Also see