Windows "HiveNightmare" bug could expose system files to non-admin users

2 years ago 290

An attacker who exploits this flaw could usage strategy privileges to instal programs, presumption oregon delete data, and make accounts with afloat idiosyncratic rights.

Another day, different Windows bug. Following a drawstring of caller flaws discovered successful Windows, the latest vulnerability dubbed "HiveNightmare" could let idiosyncratic to compromise your strategy by exploiting a information weakness that affects the Registry. At this point, nary spot is disposable to hole the flaw; alternatively Microsoft is offering a bid of workarounds designed to support your machine from this caller dilemma.

SEE: Checklist: Securing Windows 10 systems (TechRepublic Premium)

Specifically, HiveNightmare (also known arsenic SeriousSAM) lets non-admin users entree the contents of antithetic Windows strategy files, including the Security Account Manager (SAM), SYSTEM, and SECURITY Registry hive files. Located successful the system32\config directory, the SAM is location to specified captious information arsenic idiosyncratic accounts and passwords, truthful usually it's accessible lone to privileged accounts and processes and locked erstwhile successful use.

In its statement of the bug (CVE-2021-36934), Microsoft said that attackers who exploit the flaw could get strategy privileges to instal programs, presumption oregon delete data, and make accounts with afloat idiosyncratic rights. The vulnerability affects each versions of Windows 10, including 1809, 1909, 2004, 20H2 and 21H1, arsenic good arsenic Windows Server 2019.

Microsoft blamed this weakness connected overly permissive Access Control Lists for aggregate strategy files. In its own vulnerability note, CERT explained that non-administrative users are granted RX (Read and Execute) entree to files successful the system32\config directory. Beyond the imaginable interaction described by Microsoft, CERT said that if a Volume Shadow Copy Service of the strategy thrust is available, a non-privileged idiosyncratic could besides execute the pursuing actions:

Extract and leverage relationship password hashes.
Discover the archetypal Windows installation password.
Obtain DPAPI machine keys, which tin beryllium utilized to decrypt each machine backstage keys.
Obtain a machine instrumentality account, which tin beryllium utilized successful a silver summons attack.

Noting that the flaw was uncovered by Twitter idiosyncratic Jonas L and verified by different relationship known arsenic @GossiTheDog, tech quality tract Neowin reported that the vulnerability popped up erstwhile Microsoft rolled retired the caller KB5004605 update, which added Advanced Encryption Standard encryption for definite password operations successful Windows.

SEE: Photos: Windows 11 features you request to know (TechRepublic)

Microsoft tagged the HiveNightmare vulnerability arsenic Important, 1 measurement beneath Critical, and assessed its presumption arsenic "Exploitation More Likely," which means it would beryllium an charismatic people for attackers and truthful much apt that exploits could beryllium created.

To spot if your machine is susceptible to the flaw, CERT suggests opening a bid punctual and typing the following: icacls %windir%\system32\config\sam. If the output includes an introduction for BUILTIN\Users:(I)(RX), past your strategy is vulnerable.

No spot is yet disposable for this flaw, prompting Microsoft and CERT to suggest the pursuing workarounds for immoderate idiosyncratic oregon enactment disquieted astir this spread being exploited.

Open a Command Prompt arsenic an administrator. Type the pursuing command: icacls %windir%\system32\config\*.* /inheritance:e
Delete immoderate System Restore points and Shadow volumes that you created earlier restricting entree to %windir%\system32\config. To delete the shadiness volumes, benignant the pursuing command: vssadmin delete shadows /for=c: /Quiet
Finally, make a caller System Restore constituent (if desired).