Microsoft earlier today released a temporary workaround solution for systems that are vulnerable to the newly found HiveNightmare security flaw. The vulnerability was discovered by Twitter user 'Jonas L' and also verified by another user '@GossiTheDog' who noticed that the Windows Security Account Manager (SAM) database - that contains all important passwords and keys - was now apparently accessible by non-admin users. This is why the new flaw is called SeriousSAM or HiveNightmare as it gives an attacker access to SAM, SYSTEM, and SECURITY registry hive files.
yarh- for some reason on win11 the SAM file now is READ for users.
— Jonas L (@jonasLyk) July 19, 2021
So if you have shadowvolumes enabled you can read the sam file like this:
I dont know the full extent of the issue yet, but its too many to not be a problem I think. pic.twitter.com/kl8gQ1FjFt
The problem was first introduced when Microsoft released the recent KB5004605 update that added Advanced Encryption Standard (AES) encryption and all OS versions starting from Windows 10 build 1809, including the latest Windows 11 Insider Preview Build 22000.71 are exploitable.
Microsoft has acknowledged the vulnerability in the new CVE dubbed 'CVE-2021-36934' and has provided the following workaround:
-
Restrict access to the contents of %windir%\system32\config
-
Open Command Prompt or Windows PowerShell as administrator.
-
Run this command:
-
icacls %windir%\system32\config\*.* /inheritance:e
-
Delete Volume Shadow Copy Service (VSS) shadow copies
-
Open Command Prompt or Windows PowerShell as administrator.
-
Run command: vssadmin list shadows to see if there are shadow points
-
If there are, delete them with: vssadmin delete shadows /for=c: /Quiet
-
Run command: vssadmin list shadows again to see if they are deleted
-
Delete any System Restore points that existed prior to restricting access to %windir%\system32\config
-
Create a new System Restore point (if needed)
-
For those wondering if their system may be vulnerable to this exploit, most computers that have OS drives bigger than 128GB likely generate VSS shadow copies which can be exploited by an attacker. For those who wish to be sure if their system has created VSS files and whether their computer is exploitable, the CERT has provided an excellent guide to check how.
Update: As a reader 'Tantawi' has pointed out, we missed adding how a user would be able to delete their VSS shadows. The command that will do so can be found on Microsoft's official page here.
20 Comments - Add comment