Security | Vulnerability Scans and Assessment

Mitigate SAM Database vulnerability: Workaround for “SeriousSAM or HiveNightmare” registry vulnerability for Windows 10 and 11

HiveNightmare

An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have the ability to execute code on a victim system to exploit this vulnerability. See the following hyperlinks for some Windows Registry contents I have written. What is Registry Editor and how to access the registry hives, and how to search through the Windows Registry?

The Windows SAM database is apparently accessible by non-admin users in Windows 10, according to Kevin Beaumont on Twitter. The problem was first introduced when Microsoft released the recent KB5004605 update that added Advanced Encryption Standard (AES) encryption and all OS versions starting from Windows 10 build 1809, including the latest Windows 11 Insider Preview Build 22000.71 are exploitable.

Note: The database files associated with the Windows Registry are stored under the C:\Windows\system32\config folder and are broken up into different files such as SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE. As these files contain sensitive information about all user accounts on a device and security tokens used by Windows features, they should be restricted from being viewed by regular users with no elevated privileges. This is especially true for the Security Account Manager (SAM) file as it contains the hashed passwords for all users on a system, which threat actors can use to assume their identity.

To check if your Windows 10 or Windows 11 installation is affected, you can open PowerShell or Command Prompt and enter the following as shown in the image below. As you can see below, this specific device is currently not vulnerable as the Registry databases are currently not accessible to the ‘Users’ group that has low privileges on a device. Ensure your devices are correctly patched and test to see if you are affected.

If the output displays the following permission, your Windows installation is affected by the vulnerability.

BUILTIN\Users:(I)(RX)

The SYSTEM and SAM credential database files have been updated to include the Read ACL set for all Users for some versions of Windows. This means that any authenticated user has the capability to extract these cached credentials on the host and use them for offline cracking or Pass-the-hash depending on the environment configuration. This has only been identified on updated Windows 10 endpoints at this point, however, it is possible Windows Servers have been impacted. The following builds have been identified as impacted so far and you can identify your build by looking at winver in run dialog window (Win + R).

  • 1809 ISO-June21 – 20H2
  • 1909 ISO-June21 – 20H2
  • 20H2 ISO-orig – 21H1
  • 21H1 ISO-June21 – 11 Insider (Windows 11)

Microsoft has recently released a short-term (provisional) workaround on 7/21/21 for systems that are vulnerable to the newly found HiveNightmare flaw. The vulnerability was discovered by Twitter user ‘Jonas L’ and was seconded by a second user who noticed that the Windows Security Account Manager (SAM) database which contains all important passwords and keys was now apparently accessible by non-admin users. This flaw is also referred to as the SeriousSAM or HiveNightmare as it enables attackers access to SAM, SYSTEM, and SECURITY registry hive files. Below are the recommended restricting access to the problematic folder and deleting Volume Shadow Copy Service (VSS) shadow copies to mitigate this issue.

Step 1 – Restrict Access to the contents of %windir%\system32\config: Having acknowledged the vulnerability in the new CVE dubbed ‘CVE-2021-36934, please perform the following steps to restrict access.
– Open Command Prompt or Windows PowerShell as an administrator.

Screenshot-2021-07-22-at-13.18.43
Run this command "icacls %windir%\system32\config\*.* /inheritance:e" as shown below

- Command Prompt (Run as administrator): icacls %windir%\system32\config\*.* /inheritance:e
- Windows PowerShell (Run as administrator): icacls $env:windir\system32\config\*.* /inheritance:e
Screenshot-2021-07-22-at-12.52.46

Step 2 – Delete Volume Shadow Copy Service (VSS) shadow copies: Run command: vssadmin list shadows to see if there are shadow points. If there are, delete them with: vssadmin delete shadows /for=c: /Quiet
– Delete any System Restore points and Shadow volumes that existed prior to restricting access to %windir%\system32\config.

Screenshot-2021-07-22-at-13.47.34

Create a new System Restore point (if desired).
Impact of workaround Deleting shadow copies could impact restore operations, including the ability to restore data with third-party backup applications.

I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.

Subscribe
Notify of
guest
2 Comments
Inline Feedbacks
View all comments
John
John
1 month ago

Thanks for this.

2
0
Would love your thoughts, please comment.x
()
x