Workaround for “SeriousSAM or HiveNightmare” registry vulnerability for Windows 10 and 11

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files. Including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data. Or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability. Here are some related articles: What is Registry Editor and how to access the registry hives, and how to search through the Windows Registry? Here you will learn the Workaround for “SeriousSAM or HiveNightmare” registry vulnerability for Windows 10 and 11.

SeriousSAM or HiveNightmare Registry Vulnerability

Note: The database files associated with the Windows Registry are stored under the C:\Windows\system32\config folder and are broken up into different files such as SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE. As these files contain sensitive information about all user accounts on a device and security tokens used by Windows features. They should be restricted from being viewed by regular users with no elevated privileges.

This is especially true for the Security Account Manager (SAM) file as it contains the hashed passwords for all users on a system which threat actors can use to assume their identity.

Please refer to these exciting guides: Volume Shadow Copies: How to configure VSS on Windows Server, Workaround for Microsoft Support Diagnostic Tool Vulnerability, How to resolve Git for Windows uninstaller is vulnerable to DLL hijacking when run under the SYSTEM user account, how to perform vulnerability scan on Microsoft SQL Server, and how does cached domain logon work?

How to determine if Windows 10 or 11 is affected by SeriousSAM or HiveNightmare” registry vulnerability

To check if your Windows 10 or 11 installation is affected. Please open PowerShell or Command Prompt and enter the following as shown in the image below.

As you can see below, this specific device is currently not vulnerable as the Registry databases are currently not accessible to the ‘Users’ group that has low privileges on a device.

Ensure your devices are correctly patched and test them to see if you are affected.

If the output displays the following permission, your Windows installation is affected by the vulnerability.

BUILTIN\Users:(I)(RX)

The SYSTEM and SAM credential database files have been updated to include the Read ACL set for all Users for some versions of Windows. This means that any authenticated user has the capability to extract these cached credentials on the host and use them for offline cracking or Pass-the-hash depending on the environment configuration.

This has only been identified on updated Windows 10 endpoints at this point, however, it is possible Windows Servers have been impacted. The following builds have been identified as impacted so far and you can identify your build by looking at winver in run dialog window (Win + R).

• 1809 ISO-June21 – 20H2
• 1909 ISO-June21 – 20H2
• 20H2 ISO-orig – 21H1
• 21H1 ISO-June21 – 11 Insider (Windows 11)

Microsoft has recently released a short-term workaround

Microsoft has recently released a short-term (provisional) workaround on 7/21/21 for systems that are vulnerable to the newly found HiveNightmare flaw.

The vulnerability was discovered by Twitter user 'Jonas L' and was seconded by a second user who noticed that the Windows Security Account Manager (SAM) database which contains all important passwords and keys was now apparently accessible by non-admin users. 

This flaw is also referred to as the SeriousSAM or HiveNightmare. As it enables attackers access to SAM, SYSTEM, and SECURITY registry hive files. Below are the recommended restricting access to the problematic folder and deleting Volume Shadow Copy Service (VSS) shadow copies to mitigate this issue.

Step 1 Workaround: Restrict Access to the contents of %windir%\system32\config

Having acknowledged the vulnerability in the new CVE dubbed 'CVE-2021-36934, please perform the following steps to restrict access.

Open Command Prompt or Windows PowerShell as an administrator.

Run this command "icacls %windir%\system32\config\*.* /inheritance:e" as shown below

- Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e
- Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e

Kindly refer to some of the PrintNightMare guides I have written in the past. PrintNightmare security update for Windows Server 2012, 2016, and Windows 10, v1607 released: Why are the patches not so effective for the Print Spooler vulnerability? And Out-of-Band Security Update for PrintNightmare: Patch released for Windows Print Spooler Remote Code Execution Vulnerability.

Step 2 – Delete Volume Shadow Copy Service (VSS) shadow copies

Run command: vssadmin list shadows to see if there are shadow points. If there are, delete them with: vssadmin delete shadows /for=c: /Quiet

Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.

Create a new System Restore point (if desired).

Impact of workaround 

Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.

I hope you found this blog post helpful on the Workaround for “SeriousSAM or HiveNightmare” registry vulnerability for Windows 10 and 11. If you have any questions, please let me know in the comment session.