CVE-2021-36934 (aka “HiveNightmare”) allows an unprivileged local authenticated user to read the user account database and obtain credentials that could be used to impersonate other users or take control of the system. This elevation of privilege vulnerability exists due to insecure permissions on privileged registry hives, such as SAM and SECURITY, which can be accessed via Volume Shadow Copies on some versions of the Windows 10 operating system. No patch exists but Microsoft has provided workaround options and security researchers have provided additional analysis and options for detection and mitigation.
Likelihood of exploitation: High
Exploit PoC: Publicly available
Exploitation in wild: No
In non-vulnerable versions of the Windows 10 operating system, default ACLs (access control lists, aka permissions) restrict access to files in the \\Harddisk\Windows\system32\config directory. This directory is the location for — among other things — the SAM and SECURITY hives, a set of files that back logical groups of registry keys, subkeys and values, that contain hashed account passwords (SAM), security policies (SECURITY) and other sensitive information. In vulnerable versions of Windows 10 these ACLs are misconfigured, allowing read access for standard unprivileged users via VSS (Volume Shadow Copy Service) shadow copy files. These files are snapshot backups that are automatically taken by the Windows system before certain operations, like Windows Update patching, and stored on disk.
To determine if a system is vulnerable, run the following command in a non-elevated cmd.exe command prompt:
Vulnerable systems will display output similar to the following:
C:\Users\andrew>icacls C:\Windows\System32\config\SAM C:\Windows\System32\config\SAM BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)Successfully processed 1 files; Failed processing 0 files
The key indicator of vulnerability is this line, from the above:
Please see Microsoft’s two-part mitigation option (under the Workarounds section). Make sure to carefully review the Impact of workaround information before implementing the Delete Volume Shadow Copy Service (VSS) shadow copies portion of the mitigation.
- Microsoft: “Windows Elevation of Privilege Vulnerability (CVE-2021-36934)”
- CERT Coordination Center: “Microsoft Windows 10 gives unprivileged user access to system32\config files”
- CrowdStrike subreddit: “HIVENIGHTMARE/SeriousSAM Thread”
- “#HiveNightmare aka #SeriousSAM — anybody can read the registry in Windows 10”