HiveNightmare: CVE-2021-36934 Windows 10 Version 1809 (and Newer) Vulnerability
What type of vulnerability is HiveNightmare?
According to Microsoft’s official description of the issue, it is an elevation of privilege flaw caused by an “overly permissive Access Control Lists (ACLs) on multiple system files, including the SAM (Security Accounts Manager) database.
Once the vulnerability is exploited successfully, the attacker could run arbitrary code with SYSTEM privileges. Once this is achieved, the attacker could install programs, view, change, or delete data, or create new accounts with full user rights.
There is one condition for the issue to be exploited successfully: the attacker must be able to execute arbitrary code on a vulnerable system.
What versions of Windows 10 are affected?
Currently, Microsoft can “confirm that this issue affects Windows 10 version 1809 and newer operating systems.”
The CVE-2021-36934 flaw has been called HiveNightmare by security researcher Kevin Beaumont, which is a reference to the recently discovered PrintNightmare issue. Hive refers to the English name of the Windows Registry structure files. “In total, there are five files SYSTEM, SECURITY, SAM, DEFAULT and SOFTWARE in the folder C:\Windows\system32\config. Beaumont had already published yesterday a tool to read the content of the Security Access Management (SAM) database,” explained Born’s Tech and Windows World blog.
Microsoft advises impacted Windows 10 users to restrict access to the contents of %windir%\system32\config. This could be done by following these steps:
1.Open Command Prompt or Windows PowerShell as an administrator.
2.Run this command: icacls %windir%\system32\config\*.* /inheritance:e
Another possible solution is deleting the Volume Shadow Copy Service (VSS) shadow copies. However, this could seriously damage restore operations, such as the ability to restore data via third-party backup solutions.
“You must restrict access and delete shadow copies to prevent exploitation of this vulnerability,” Microsoft says.
The Print Spooler Vulnerability
Earlier this month, Microsoft disclosed the so-called PrintNightmare flaw. Exploitation of the PrintNightmare vulnerability could enable remote attackers to gain full control over affected systems. Remote code execution could be achieved by targeting a user authenticated to the spooler service.
Affected Microsoft products include all operating systems from Windows 7 to Windows 10, and everything from Server 2008 to Server 2019.