Summary
CVE-2021-36934 (aka “HiveNightmare”) allows an unprivileged local authenticated user to read the user account database and obtain credentials that could be used to impersonate other users or take control of the system. This elevation of privilege vulnerability exists due to insecure permissions on privileged registry hives, such as SAM and SECURITY, which can be accessed via Volume Shadow Copies on some versions of the Windows 10 operating system. No patch exists but Microsoft has provided workaround options and security researchers have provided additional analysis and options for detection and mitigation.
Risk: Critical
Likelihood of exploitation: High
Exploit PoC: Publicly available
Exploitation in wild: No
Description
In non-vulnerable versions of the Windows 10 operating system, default ACLs (access control lists, aka permissions) restrict access to files in the \\Harddisk\Windows\system32\config directory. This directory is the location for — among other things — the SAM and SECURITY hives, a set of files that back logical groups of registry keys, subkeys and values, that contain hashed account passwords (SAM), security policies (SECURITY) and other sensitive information. In vulnerable versions of Windows 10 these ACLs are misconfigured, allowing read access for standard unprivileged users via VSS (Volume Shadow Copy Service) shadow copy files. These files are snapshot backups that are automatically taken by the Windows system before certain operations, like Windows Update patching, and stored on disk.
Detection
To determine if a system is vulnerable, run the following command in a non-elevated cmd.exe command prompt:
icacls C:\Windows\System32\config\SAM
Vulnerable systems will display output similar to the following:
C:\Users\andrew>icacls C:\Windows\System32\config\SAM C:\Windows\System32\config\SAM BUILTIN\Administrators:(I)(F) NT AUTHORITY\SYSTEM:(I)(F) BUILTIN\Users:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)Successfully processed 1 files; Failed processing 0 files
The key indicator of vulnerability is this line, from the above:
BUILTIN\Users:(I)(RX)
Remediation
Please see Microsoft’s two-part mitigation option (under the Workarounds section). Make sure to carefully review the Impact of workaround information before implementing the Delete Volume Shadow Copy Service (VSS) shadow copies portion of the mitigation.
Additional Information
- Microsoft: “Windows Elevation of Privilege Vulnerability (CVE-2021-36934)”
- CERT Coordination Center: “Microsoft Windows 10 gives unprivileged user access to system32\config files”
- CrowdStrike subreddit: “HIVENIGHTMARE/SeriousSAM Thread”
- “#HiveNightmare aka #SeriousSAM — anybody can read the registry in Windows 10”