HiveNightmare aka SeriousSam Local Privilege Escalation in Windows – CVE-2021-36934

Threat Intelligence its important for cybersecurity

This means that a regular (non-admin) user can extract data from these files and access system secrets, local users’ hashed passwords, computer account password, service accounts in clear-text (including domain service accounts configured to run services on the system) and other information.

HiveNightmare-SeriousSAM-LPE-Windows-ACL
Default ACL on the SAM registry file giving read access to regular users

The registry files are normally locked but they can easily be accessed when “System Protection” is enabled by simply accessing the shadow copy of the system drive.

HiveNightmare-SeriousSAM-LPE-Windows-ACL
HiveNightmare proof-of-concept to read local hives from shadow copy as regular user using Mimikatz

The initial reports say Windows 11 and 10 version 1809 and above are vulnerable.

EDR solutions should already monitor any access to SAM, SYSTEM and other registry files and should already cover this case.

As a shadow copy is needed since the registry files are loaded and locked by the system, to prevent users from accessing these files a short-term workaround is to disable the “System Protection”. This will remove any previous shadow copies from the system. As an additional consequence, it will not be possible to revert to the state of the system before the last upgrade.

NOTE: this will remove the volume shadow copies that were taken by the system protection function (enabled by default on Windows 10 systems with a system drive of 128GB or larger). If you have any other mechanisms creating shadow copies for the affected registry files, you should handle those separately.

The setting can be disabled from “System Properties” as shown below.

HiveNightmare-SeriousSAM-LPE-Windows-ACL
Disable “System Protection”

Initial discovery by @jonasLyk

UPDATE JULY 21, 2021

Microsoft has assigned CVE-2021-36934 to this vulnerability and included the following recommended workarounds

Restrict access to the contents of %windir%system32config

  1. Open Command Prompt or Windows PowerShell as an administrator.
  2. Run this command: icacls %windir%system32config*.* /inheritance:e

Delete Volume Shadow Copy Service (VSS) shadow copies

  1. Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%system32config.
  2. Create a new System Restore point (if desired).

Impact of workaround Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.

Note You must restrict access and delete shadow copies to prevent exploitation of this vulnerability.