HiveNightmare

Summary

CVE-2021-36934 (aka “HiveNightmare”) allows an unprivileged local authenticated user to read the user account database and obtain credentials that could be used to impersonate other users or take control of the system. This elevation of privilege vulnerability exists due to insecure permissions on privileged registry hives, such as SAM and SECURITY, which can be accessed via Volume Shadow Copies on some versions of the Windows 10 operating system. No patch exists but Microsoft has provided workaround options and security researchers have provided additional analysis and options for detection and mitigation.

Risk:   Critical
Likelihood of exploitation: High
Exploit PoC: Publicly available
Exploitation in wild: No

Description

In non-vulnerable versions of the Windows 10 operating system, default ACLs (access control lists, aka permissions) restrict access to files in the \\Harddisk\Windows\system32\config directory. This directory is the location for — among other things — the SAM and SECURITY hives, a set of files that back logical groups of registry keys, subkeys and values, that contain hashed account passwords (SAM), security policies (SECURITY) and other sensitive information.  In vulnerable versions of Windows 10 these ACLs are misconfigured, allowing read access for standard unprivileged users via VSS (Volume Shadow Copy Service) shadow copy files. These files are snapshot backups that are automatically taken by the Windows system before certain operations, like Windows Update patching, and stored on disk.

Detection

To determine if a system is vulnerable, run the following command in a non-elevated cmd.exe command prompt:

icacls C:\Windows\System32\config\SAM

Vulnerable systems will display output similar to the following:

C:\Users\andrew>icacls C:\Windows\System32\config\SAM
C:\Windows\System32\config\SAM BUILTIN\Administrators:(I)(F)
                               NT AUTHORITY\SYSTEM:(I)(F)
                               BUILTIN\Users:(I)(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                               APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)
Successfully processed 1 files; Failed processing 0 files

The key indicator of vulnerability is this line, from the above:

BUILTIN\Users:(I)(RX)

Remediation

Please see Microsoft’s two-part mitigation option (under the Workarounds section).  Make sure to carefully review the Impact of workaround information before implementing the Delete Volume Shadow Copy Service (VSS) shadow copies portion of the mitigation.

Additional Information